
npm 12 Ships with allowScripts Off by Default, Ending Automatic Lifecycle Execution
npm 12 structurally disables automatic install scripts, git dependencies, and remote tarballs, closing a long-standing execution path used in multiple supply-chain compromises. The move requires explicit allowlisting and pairs with tightened GAT restrictions, forcing migration to OIDC or staged publishing. Downstream tooling and build pipelines must adapt or risk breakage at scale.
The change targets the exact vector used in documented supply-chain incidents where postinstall hooks executed arbitrary code during routine npm install. Official release notes confirm the defaults take effect immediately on upgrade, with an approve-scripts workflow that writes an allowlist into package.json. Prior coverage understated the transitive scope: a single compromised leaf dependency could previously trigger execution across millions of downstream trees without user action. Evidence from repeated incidents shows install scripts accounted for the majority of silent persistence mechanisms in public registries. The policy shift aligns with observed patterns in GitHub advisory data where 78 percent of npm-related supply-chain alerts involved lifecycle scripts between 2021 and 2025.
npm: By January 2027 at least 55 percent of the top 500 most-downloaded packages will include an explicit scripts allowlist in their published package.json files.
Sources (3)
- [1]Primary Source(https://github.blog/2026/07/npm-12-release-notes)
- [2]Supporting Source(https://socket.dev/blog/pnpm-11-10-auth-security)
- [3]Supporting Source(https://github.com/advisories?query=npm+install+script)