𝗡𝗣𝗠 𝟭𝟮 𝗜𝘀 𝗖𝗵𝗮𝗻𝗴𝗶𝗻𝗴 𝗦𝗰𝗿𝗶𝗽𝘁 𝗘𝘅𝗲𝗰𝘂𝘁𝗶𝗼𝗻
For 19 years, npm install ran code automatically. It used lifecycle hooks like preinstall and postinstall. You downloaded a package and it ran scripts before you reviewed the code.
This trust model ends with npm 12.
Starting in July 2026, GitHub is moving from opt-out to opt-in. This change protects your supply chain from attackers.
Here is what changes in npm 12:
- Dependency scripts like preinstall or postinstall will not run automatically. You must use npm approve-scripts to allow them.
- Native module builds via node-gyp are blocked by default. You must allow them explicitly.
- Git and remote URL dependencies will not resolve automatically. You need the --allow-git or --allow-remote flag.
- A new min-release-age setting lets you block new package versions. You can set a timer to ensure a package is old enough to be vetted.
Attackers exploit this current system. A malicious version of axios recently shipped a tool that executed one second after installation. It stayed live for three hours. That is enough time to compromise millions of users.
You can prepare now. If you use npm 11.16.0 or higher, run this command:
npm approve-scripts --allow-scripts-pending
This shows you which dependencies run scripts. You can approve the ones you trust and save them to your package.json. Do this before the breaking change arrives.
Source: https://dev.to/ranjansingh41/npm-12-will-change-script-execution-behavior-to-prevent-attacks-45lg
Optional learning community: https://t.me/GyaanSetuAi