npm v12 to disable dependency scripts by default for improved security
By
Allison
Solid neighbourhood-bakery energy. Trustworthy and warm.
Summary
npm v12, estimated for July 2026, will introduce security-related breaking changes to npm install. The key change is that allowScripts will default to off, meaning preinstall, install, and postinstall scripts from dependencies (including native node-gyp builds) will no longer execute automatically. Users must explicitly opt into these behaviors. All changes are currently available behind warnings in npm 11.16.0 or newer to allow preparation before the upgrade.
Key quotes
· 5 pulledOur next npm major version, v12, introduces security-related default changes to npm install.
All these changes are available behind warnings in npm today on 11.16.0 or newer, so you can prepare before the upgrade.
v12 is estimated to release in July 2026.
Each change turns an npm install behavior that runs automatically today into one you explicitly opt into.
npm install will no longer execute preinstall, install, or postinstall scripts from dependencies unless they are explicitly allowed in your project.
You might also wanna read
176 malicious npm packages used dependency confusion to target internal dependencies and steal credentials
Sonatype researchers uncovered a campaign involving 176 malicious npm packages using a dependency confusion attack strategy. Attackers publi
sonatype.com·7d ago
September 2025 NPM supply-chain attack compromises popular JavaScript packages
In September 2025, a coordinated software supply-chain attack targeted multiple popular NPM packages in the JavaScript ecosystem. The attack
Malicious npm package "Codex" stole developer credentials for a month before detection
A popular npm package called "Codex" (providing a remote web UI for OpenAI Codex) was found to be stealing developer credentials for about a
briefly.co·6d ago