npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk
npm 12 disables install scripts, git dependencies, and remote URL dependencies by default to mitigate supply chain attacks. Granular Access Tokens (GATs) can no longer bypass Two-Factor Authentication (2FA) for sensitive account or package management actions. Automated publishing via long-lived tokens is deprecated in favor of Trusted Publishing (OIDC) or staged publishing requiring human 2FA approval. pnpm 11.10 introduces a secure `_auth` setting that binds credentials to hosts, preventing tok
Analysis
TL;DR
- npm 12 disables install scripts, git dependencies, and remote URL dependencies by default to mitigate supply chain attacks.
- Granular Access Tokens (GATs) can no longer bypass Two-Factor Authentication (2FA) for sensitive account or package management actions.
- Automated publishing via long-lived tokens is deprecated in favor of Trusted Publishing (OIDC) or staged publishing requiring human 2FA approval.
- pnpm 11.10 introduces a secure
_authsetting that binds credentials to hosts, preventing token redirection through compromised project files.
Why It Matters
These changes represent a significant shift in the Node.js ecosystem's security posture, moving from convenience-driven defaults to security-by-default practices. For AI practitioners and developers integrating machine learning models or tools via npm, understanding these restrictions is crucial to avoid build failures and ensure secure deployment pipelines. The industry-wide move towards stricter authentication and script validation reduces the attack surface for malicious package injection, which is particularly critical in AI infrastructure where dependencies often handle sensitive data or computational resources.
Technical Details
- Default Behavior Changes:
allowScriptsdefaults tooff, disabling lifecycle scripts (preinstall, install, postinstall) and implicit node-gyp builds.--allow-gitand--allow-remotedefault tonone, blocking automatic resolution of Git and remote URL dependencies. - Approval Workflow: Users must explicitly run
npm approve-scripts --allow-scripts-pendingto review pending scripts and commit an allowlist topackage.json. - Token Restrictions: GATs configured to bypass 2FA lose permissions for sensitive actions (e.g., changing passwords, managing organization membership) and direct publishing. Publishing is limited to staging, requiring human 2FA approval to go live.
- Timeline: Token restrictions take effect in August 2026, with full publishing surface limitations enforced by January 2027.
- pnpm Security Update: pnpm 11.10 implements a structured
_authsetting that stores credentials globally or via environment variables, ensuring they cannot be redirected by tampered local.npmrcorpnpm-workspace.yamlfiles.
Industry Insight
- Pipeline Modernization: Organizations should immediately audit CI/CD pipelines for reliance on long-lived publish tokens or implicit script execution. Transitioning to OIDC-based Trusted Publishing or implementing staged publishing workflows is essential for compliance with the new npm 12 standards.
- Dependency Auditing: Developers must proactively review and whitelist necessary scripts and dependencies before upgrading to npm 12. Automated testing suites should include checks for
allowScriptsconfigurations to prevent silent build failures. - Security Hygiene: The pnpm update highlights the importance of separating credential storage from project code. Teams should adopt similar practices across all package managers, ensuring authentication tokens are managed via secure environment variables or secret managers rather than committed configuration files.
Disclaimer: The above content is generated by AI and is for reference only.