News

npm 12 Disables Install Scripts by Default, Deprecates Granular Access Tokens

GitHub releases npm 12 with install scripts disabled by default and deprecates granular access tokens to enhance security.

npm 12 introduces significant security changes, including disabling install scripts by default and limiting granular access tokens. These updates aim to enhance security for developers and organizations.

npm 12 Disables Install Scripts by Default, Deprecates Granular Access Tokens

GitHub has officially announced the release of npm version 12, introducing major security enhancements. The latest update disables install scripts by default and deprecates granular access tokens (GATs) designed to bypass two-factor authentication (2FA).

Key Changes in npm 12

  1. Install Scripts Disabled by Default:

    • allowScripts: Now defaults to off, preventing dependency lifecycle scripts (e.g., preinstall, install, postinstall) and implicit node-gyp builds from running automatically. Users must explicitly allow these scripts.
    • --allow-git: Defaults to none, meaning Git dependencies are no longer resolved unless explicitly permitted.
    • --allow-remote: Defaults to none, preventing dependencies from remote URLs (e.g., HTTPS tarballs) from being resolved unless allowed.

    To approve trusted scripts, users must run npm approve-scripts --allow-scripts-pending and commit the resulting allowlist in the package.json file.

  2. Deprecation of Granular Access Tokens (GATs):

    • GATs configured to bypass 2FA will no longer support sensitive account, package, and organization management actions. This includes creating or deleting tokens, generating recovery codes, changing npm account details, and managing organization memberships.
    • GATs will lose the ability to publish directly. Publishing will require a human 2FA approval step, with staged publishing as the recommended approach.

    The first change will take effect in early August 2026, while the second is scheduled for January 2027. GitHub advises developers to transition to trusted publishing (OIDC) or staged publishing with human approval.

Additional Security Enhancements

The release of npm 12 follows recent security improvements in the ecosystem. For instance, pnpm 11.10 introduced a new _auth setting for configuring registry authentication. This setting ensures that credentials and their associated hosts are tightly coupled, reducing the risk of token theft through tampered project files.

Recommendations for Developers

GitHub recommends that developers:

  • Upgrade to npm 11.16.0 or newer to review and address warnings.
  • Stop using 2FA-bypass tokens for sensitive operations and perform them interactively with 2FA.
  • Transition automated publishing workflows to trusted publishing (OIDC) or staged publishing with human approval.

These updates reflect a broader effort to enhance security in the npm ecosystem, protecting developers and organizations from potential vulnerabilities.