GitHub has announced a significant security overhaul for npm, the world's most widely used JavaScript package manager. Starting with npm version 12, dependency scripts will no longer execute automatically during package installation unless developers explicitly approve them.

The move comes in response to a growing number of software supply chain attacks that have abused npm's automatic script execution mechanism to deliver malware and compromise developer environments. npm v12 is expected to be released in July 2026.

What Is Changing in npm 12?

Traditionally, running the command:

npm install


would automatically execute lifecycle scripts such as:

  • preinstall
  • install
  • postinstall

for any dependency included in a project.

With npm 12, these scripts will be disabled by default unless they have been explicitly approved by the developer. This creates a more secure, allowlist-based model instead of the previous trust-by-default approach.

GitHub stated that these install-time scripts represent one of the largest code execution surfaces within the npm ecosystem.

Why Is GitHub Making This Change?

Over the past year, attackers have increasingly targeted npm packages to distribute malware.

Several high-profile campaigns leveraged malicious install scripts embedded within packages to execute unauthorized code on developer machines and CI/CD systems. Incidents involving the TeamPCP campaign and the Shai-Hulud self-replicating worm demonstrated how dangerous automatic script execution can be.

By disabling automatic script execution, GitHub aims to:

  • Reduce software supply chain risks
  • Prevent malicious code from running during installation
  • Limit attack opportunities within dependency chains
  • Strengthen security across developer workstations and CI/CD environments

This represents a major shift toward a "Zero Trust" approach to dependency management.

Additional Security Restrictions in npm 12

The upcoming release introduces more than just script execution controls.

1. Git Dependencies Require Approval

npm will no longer automatically resolve dependencies fetched from Git repositories.

Developers must explicitly allow Git-based dependencies before they can be installed. This change closes a potential code execution path where malicious configurations could be introduced through Git dependencies.

2. Remote URL Dependencies Are Blocked

Dependencies delivered through remote URLs, including HTTPS tarballs, will also require explicit approval.

This prevents attackers from silently introducing external code into projects during installation.

3. Native Module Builds Are Affected

Packages that rely on native compilation through node-gyp will no longer build automatically unless explicitly permitted.

Developers using native modules should review their build pipelines before upgrading to npm 12.

How Developers Can Prepare

GitHub recommends upgrading to npm 11.16.0 or later before npm 12 becomes generally available.

Developers can use:

npm approve-scripts --allow-scripts-pending


to identify packages that currently execute installation scripts.

Trusted packages can then be approved, while unnecessary or suspicious scripts can be denied. The resulting allowlist is stored within the project's configuration, ensuring consistent behavior across environments.

Potential Impact on Development Teams

While the change significantly improves security, it may also introduce compatibility issues.

Projects relying on:

  • Post-install setup scripts
  • Native module compilation
  • Git-based dependencies
  • Remote package sources

may experience installation failures after upgrading to npm 12 unless the required permissions are configured. Organizations should review CI/CD workflows and dependency management practices before deployment.

Industry Reaction

The cybersecurity and developer communities have largely welcomed the change, viewing it as a long-overdue security improvement.

Many security professionals believe npm's previous behavior granted excessive trust to third-party packages, creating an attractive attack surface for threat actors. Similar protections have already been adopted by other package managers, and npm's move aligns the ecosystem with modern software supply chain security practices.

Conclusion

npm 12 marks one of the most important security-focused updates in the package manager's history. By disabling automatic execution of dependency scripts and restricting potentially dangerous installation behaviors, GitHub is taking a proactive step toward reducing software supply chain attacks.

Although developers may need to adjust existing workflows, the long-term benefit is a safer and more trustworthy JavaScript ecosystem. Organizations are encouraged to begin testing their projects now to ensure a smooth transition when npm 12 officially launches.