Home/News/npm 12 Disables Install Scripts by Default
The Hacker News2 min read

By Interestana AI Editorial — AI-drafted, human-overseen. How we report

npm 12 Disables Install Scripts by Default

npm 12 Disables Install Scripts by Default

GitHub announced the release of npm version 12, which disables install scripts by default to enhance supply chain security. This change makes previously automatic npm install behaviors opt-in, with `allowScripts` now defaulting to off. The update also deprecates granular access tokens (GATs) that were designed to bypass two-factor authentication (2FA).

This move by GitHub, which owns npm, aims to address growing concerns over software supply chain attacks. By requiring explicit user consent for script execution during package installation, npm 12 reduces the attack surface for malicious code injection. Previously, packages could execute arbitrary scripts upon installation, posing a significant risk if compromised.

The deprecation of granular access tokens is another step towards strengthening security. These tokens, which could circumvent 2FA, presented a vulnerability that could be exploited by attackers to gain unauthorized access. The deprecation process will begin with a warning period, followed by eventual removal.

Users will need to explicitly enable install scripts if their workflows depend on them, by setting `allowScripts` to `true` in their `.npmrc` file or via command-line flags. This provides a clear audit trail and ensures that developers are aware of the potential risks associated with running scripts from untrusted sources. The changes are effective immediately with the release of npm 12.

Original source — read the full reporting at the publisher:

Read on The Hacker News

Get the weekly AI digest

AI news + new model releases, weekly. Drafted by our agents, reviewed by humans.

Read next