npm 12: Install Scripts Disabled by Default
GitHub has announced the release of npm version 12, which brings a significant change in the handling of install scripts. From now on, install scripts are disabled by default to reduce the risk of security incidents in the software supply chain. This decision follows a series of incidents where malicious scripts were spread through npm packages. The new version introduces the allowScripts option, which is set to off by default. Developers must now actively consent to run install scripts, providing an additional layer of security.
This measure aims to protect the integrity of software and strengthen trust in the use of npm. Additionally, GitHub has discontinued the use of granular access tokens (GATs). These tokens allowed users to bypass two-factor authentication (2FA), posing a significant security risk. The removal of this feature is intended to ensure that all users accessing npm must actively use 2FA to protect their accounts. The changes in npm 12 are part of a broader initiative by GitHub aimed at enhancing security in the open-source community.
In recent years, there have been several high-profile security incidents that underscored the need for stricter security measures. GitHub is committed to continuously raising security standards and informing users about best practices. Reactions to the changes are mixed. Some developers welcome the new security measures and see them as a necessary step towards improving safety. Others express concerns that the additional hurdles may complicate the use of npm for certain projects.
The discussion about balancing security and usability continues within the developer community. Version 12 of npm is expected to be available to all users in the coming weeks. GitHub plans to roll out the changes gradually to ensure that developers have sufficient time to adapt to the new settings. Comprehensive documentation on the changes will be provided on the official GitHub page. The decision to disable install scripts by default could also impact how developers manage their packages.
Many developers rely on scripts to install dependencies or make configurations. The need to manually enable these scripts may lead to a review and adjustment of existing projects. The security landscape in software development remains tense. According to a 2025 study, 70% of developers are concerned about security risks in the software supply chain. GitHub's new measures could help strengthen trust in open-source projects and enhance the security of the entire community.
The changes in npm 12 are part of a broader trend in software development focused on improving security. Companies and developers are increasingly required to implement security practices to meet the challenges of the modern threat landscape. GitHub has announced that it will continue to invest in security solutions and keep the community informed about new developments. The official release of npm 12 is expected on July 15, 2026, and developers are encouraged to familiarize themselves with the new features and security measures.
💬 Comments (0)
No comments yet. Be the first to comment!