{"id":4305,"date":"2026-06-11T16:12:41","date_gmt":"2026-06-11T16:12:41","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/11\/npm-v12-is-coming-in-july-heres-what-developers-need-to-do-now\/"},"modified":"2026-06-11T16:12:41","modified_gmt":"2026-06-11T16:12:41","slug":"npm-v12-is-coming-in-july-heres-what-developers-need-to-do-now","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/11\/npm-v12-is-coming-in-july-heres-what-developers-need-to-do-now\/","title":{"rendered":"npm v12 Is Coming in July \u2014 Here\u2019s What Developers Need to Do Now"},"content":{"rendered":"<div><img data-opt-id=166840461  fetchpriority=\"high\" decoding=\"async\" width=\"770\" height=\"330\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2026\/06\/npm_v12_supply_chain_security_770x330.jpg\" class=\"attachment-large size-large wp-post-image\" alt=\"\" \/><\/div>\n<p><img data-opt-id=1621358267  fetchpriority=\"high\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2026\/06\/npm_v12_supply_chain_security_770x330-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail wp-post-image\" alt=\"\" \/><\/p>\n<p><span>For years, running <\/span><span>npm install<\/span><span> meant trusting that whatever code got pulled in would behave itself. That trust was often misplaced. Starting in July 2026, npm v12 changes the rules. Install scripts won\u2019t run automatically anymore. Neither will dependencies be pulled from Git repos or remote URLs. All of it becomes opt-in.<\/span><\/p>\n<p><span>This is a direct response to a wave of supply chain attacks that have hammered the JavaScript ecosystem over the past year. In September 2025, attackers hijacked 18 popular npm packages \u2014 including <\/span><span>debug<\/span><span> and <\/span><span>chalk<\/span><span> \u2014 libraries found in virtually every Node.js project. With combined downloads exceeding 2.6 billion per week, it was one of the largest npm attacks in history. In 2025 alone, attackers published nearly 455,000 malicious npm packages. The attacks haven\u2019t slowed down \u2014 the March 2026 Axios compromise weaponized one of npm\u2019s most-downloaded packages through credential theft.<\/span><\/p>\n<p><span>The ecosystem needed a structural fix, not just better scanning tools. npm v12 is that fix.<\/span><\/p>\n<h3><strong>What\u2019s Actually Changing<\/strong><\/h3>\n<p><span>npm v12 introduces three security-related changes to <\/span><span>npm install<\/span><span>. First, <\/span><span>allowScripts<\/span><span> defaults to off \u2014 npm install will no longer execute <\/span><span>preinstall<\/span><span>, <\/span><span>install<\/span><span>, or <\/span><span>postinstall<\/span><span> scripts from dependencies unless they are explicitly allowed in your project. This includes native <\/span><span>node-gyp<\/span><span> builds. Second, <\/span><span>\u2013allow-git<\/span><span> defaults to none \u2014 npm install will no longer resolve Git dependencies, direct or transitive, unless explicitly allowed. Third, <\/span><span>\u2013allow-remote<\/span><span> defaults to none \u2014 npm install will no longer resolve dependencies from remote URLs, such as HTTPS tarballs, unless explicitly allowed.<\/span><\/p>\n<p><span>These aren\u2019t minor configuration tweaks. They close attack vectors that defenders have complained about for years. The Git dependency change is particularly significant. It closes a code-execution path where a Git dependency\u2019s <\/span><span>.npmrc<\/span><span> could override the Git executable, even when developers thought they were protected by <\/span><span>\u2013ignore-scripts<\/span><span>. That flag gave many teams a false sense of security.<\/span><\/p>\n<h3><strong>Why This Matters Beyond the Security Team<\/strong><\/h3>\n<p><span>Most developers think of supply chain security as someone else\u2019s problem. That\u2019s changing fast. As recently as late May 2026, Microsoft Threat Intelligence uncovered an active supply chain attack involving malicious npm packages registered under organizational scopes that mirrored real internal corporate namespaces. These weren\u2019t obviously suspicious packages. They looked like internal tools.<\/span><\/p>\n<p><span>The average npm project isn\u2019t pulling in a handful of dependencies. The average npm project pulls in 79 transitive dependencies. Any one of those can carry malicious install scripts. Under the current default behavior, those scripts run the moment someone runs <\/span><span>npm install<\/span><span>. In v12, they won\u2019t \u2014 unless a developer explicitly says they should.<\/span><\/p>\n<p><span>Mitch Ashley, VP &amp; Practice Lead, Software Lifecycle Engineering &amp; AI-Native Software Engineering at The Futurum Group, says the change reflects a fundamental rethink of how trust works in the ecosystem. \u201cPackage installation is shifting from implicit trust to explicit allowlisting at the ecosystem\u2019s default layer. Disabling automatic script execution, Git resolution, and remote fetches by default concedes that detecting malicious packages after publication cannot keep pace with how fast they appear. Engineering and platform teams now own a dependency allowlist committed to source control, and CI must fail builds on unreviewed install scripts. Verifying what executes at install time becomes a standing engineering obligation rather than a security team afterthought.\u201d<\/span><\/p>\n<h3><strong>How to Prepare Before July<\/strong><\/h3>\n<p><span>The good news is that you don\u2019t have to wait for v12 to drop and break your builds. All three changes are available as warnings in npm 11.16.0 or newer, so teams can prepare before the upgrade.<\/span><\/p>\n<p><span>Here\u2019s the recommended workflow:<\/span><\/p>\n<p><span>First, upgrade to npm 11.16.0 or later \u2014 this enables advisory mode, where warnings surface but nothing breaks yet. Then run <\/span><span>npm approve-scripts \u2013allow-scripts-pending<\/span><span> to see which packages have scripts that aren\u2019t yet covered by your policy. Approve the ones you trust, pinned to the version you\u2019ve reviewed, and commit the updated <\/span><span>package.json<\/span><span> to source control.<\/span><\/p>\n<p><span>Consider running <\/span><span>npm approve-scripts \u2013allow-scripts-pending<\/span><span> in read-only mode first \u2014 it lists every package whose scripts aren\u2019t yet covered without changing anything. That gives you a full picture before you start approving.<\/span><\/p>\n<p><span>One thing to avoid: don\u2019t approve everything with a blanket flag just to make warnings go away. That defeats the purpose. The point is to know which packages are running code on your machine and make a deliberate decision about each one.<\/span><\/p>\n<p><span>For teams relying on internal HTTPS tarballs or monorepos that pin packages to Git branches, the right fix is to migrate to a proper registry \u2014 GitHub Packages, Nexus, or Artifactory \u2014 rather than adding <\/span><span>\u2013allow-remote<\/span><span> to every CI script.<\/span><\/p>\n<h3><strong>Package Maintainers Have Work to Do Too<\/strong><\/h3>\n<p><span>If you maintain packages that use install scripts, your downstream users won\u2019t get those scripts by default in v12. Two things help: document it by adding a note to your README linking to <\/span><span>npm approve-scripts<\/span><span>, and reduce the need for scripts by shipping prebuilt binaries using tools like <\/span><span>prebuild<\/span><span>, <\/span><span>prebuildify<\/span><span>, or <\/span><span>node-pre-gyp<\/span><span>, or by moving setup into an explicit command users run after install.<\/span><\/p>\n<p><span>This isn\u2019t just courtesy. If your package silently stops working for users after they upgrade to v12 and they don\u2019t understand why, that\u2019s a support problem and a trust problem.<\/span><\/p>\n<h3><strong>The Bigger Picture<\/strong><\/h3>\n<p><span>npm v12 reflects a broader shift happening across the software supply chain. The era of implicit trust \u2014 where running <\/span><span>npm install<\/span><span> was treated like a safe, routine operation \u2014 is ending. Explicit allowlists, version pinning, and continuous review are becoming table stakes.<\/span><\/p>\n<p><span>The Shai-Hulud worm, Glassworm, and the string of supply chain attacks throughout 2025 and 2026 have proven that implicit trust in package installation is over. npm v12 doesn\u2019t solve every problem in that space, but it removes the easy path that attackers have relied on for years.<\/span><\/p>\n<p><span>July isn\u2019t far away. The time to run <\/span><span>npm approve-scripts \u2013allow-scripts-pending<\/span><span> is now.<\/span><\/p>\n<p><a href=\"https:\/\/devops.com\/npm-v12-is-coming-in-july-heres-what-developers-need-to-do-now\/\" target=\"_blank\" class=\"feedzy-rss-link-icon\">Read More<\/a><\/p>\n<p>\u200b<\/p>","protected":false},"excerpt":{"rendered":"<p>For years, running npm install meant trusting that whatever code got pulled in would behave itself. That trust was often [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4306,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4305","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4305","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4305"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4305\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4306"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4305"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4305"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4305"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}