GitHub’s npm v12 Will Block Common Supply Chain Attack Techniques by Default

GitHub has announced that npm v12 is expected to arrive next month, bringing a series of security-focused changes designed to make software supply chain attacks significantly harder to pull off.

The update comes at a time when the software ecosystem continues to face a growing number of supply chain threats. Last month alone, GitHub disclosed a breach that exposed around 3,800 repositories, while the company also dealt with fallout from the TanStack supply chain attack. More recently, Microsoft restored 73 GitHub repositories that were temporarily disabled during investigations linked to the Miasma supply chain campaign.

The new npm protections focus on one of the most commonly abused parts of the JavaScript ecosystem: the npm install command. While developers use the command to download project dependencies, attackers often target it because it can automatically execute code during package installation.

Npm install will require explicit approval for code execution

The biggest change in npm v12 is the removal of automatic code execution during dependency installation.

Starting with the new release, npm install will no longer automatically run preinstall, install, or postinstall scripts from dependencies unless developers explicitly approve them.

This restriction also applies to native module builds triggered through node-gyp. It also applies to prepare scripts from Git, local file, and linked dependencies.

According to GitHub, requiring explicit approval for install-time code execution should eliminate a major attack vector frequently used in supply chain compromises.

Git and remote URL dependencies will be blocked by default

Npm v12 also changes how dependencies from non-registry sources are handled.

Git-based dependencies will no longer be trusted automatically. Instead, developers must explicitly permit them before npm resolves and installs them.

The restriction applies to both direct dependencies and transitive dependencies pulled in by other packages.

GitHub said this change closes a lesser-known attack path where a malicious package could use a Git dependency’s .npmrc configuration to alter which Git executable gets launched during installation. In some scenarios, this technique could lead to code execution even when install scripts were disabled.

Remote URL dependencies will receive similar treatment. Dependencies distributed through HTTPS tarballs and other remote URLs will also require explicit approval before npm installs them. Like Git dependencies, the restriction covers both direct and transitive packages.

Projects that legitimately depend on install scripts, Git repositories, or remote URL packages will still be able to use them, but developers will need to explicitly opt in before upgrading to npm v12.

Developers should prepare before npm v12 arrives

GitHub recommends upgrading to npm 11.16.0 or newer ahead of the npm v12 release.

Recent npm 11 builds already display warnings when a project uses behaviors that will no longer work automatically under the new defaults. These warnings can help teams identify workflows, dependencies, and build processes that require approval before the transition.

After upgrading to npm v12, only approved scripts and approved dependency sources will continue running automatically.

GitHub has also opened a community discussion to gather feedback from developers before the changes become permanent.