npm 12 Disables Install Scripts by Default, Deprecates Granular Access Tokens
GitHub has officially announced the release of npm version 12, introducing major security enhancements. The latest update disables install scripts by default and deprecates granular access tokens (GATs) designed to bypass two-factor authentication (2FA).
Key Changes in npm 12
-
Install Scripts Disabled by Default:
- allowScripts: Now defaults to off, preventing dependency lifecycle scripts (e.g., preinstall, install, postinstall) and implicit node-gyp builds from running automatically. Users must explicitly allow these scripts.
- --allow-git: Defaults to none, meaning Git dependencies are no longer resolved unless explicitly permitted.
- --allow-remote: Defaults to none, preventing dependencies from remote URLs (e.g., HTTPS tarballs) from being resolved unless allowed.
To approve trusted scripts, users must run
npm approve-scripts --allow-scripts-pendingand commit the resulting allowlist in thepackage.jsonfile. -
Deprecation of Granular Access Tokens (GATs):
- GATs configured to bypass 2FA will no longer support sensitive account, package, and organization management actions. This includes creating or deleting tokens, generating recovery codes, changing npm account details, and managing organization memberships.
- GATs will lose the ability to publish directly. Publishing will require a human 2FA approval step, with staged publishing as the recommended approach.
The first change will take effect in early August 2026, while the second is scheduled for January 2027. GitHub advises developers to transition to trusted publishing (OIDC) or staged publishing with human approval.
Additional Security Enhancements
The release of npm 12 follows recent security improvements in the ecosystem. For instance, pnpm 11.10 introduced a new _auth setting for configuring registry authentication. This setting ensures that credentials and their associated hosts are tightly coupled, reducing the risk of token theft through tampered project files.
Recommendations for Developers
GitHub recommends that developers:
- Upgrade to npm 11.16.0 or newer to review and address warnings.
- Stop using 2FA-bypass tokens for sensitive operations and perform them interactively with 2FA.
- Transition automated publishing workflows to trusted publishing (OIDC) or staged publishing with human approval.
These updates reflect a broader effort to enhance security in the npm ecosystem, protecting developers and organizations from potential vulnerabilities.