NPM 12 Security Updates: New Script Execution Changes to Block Supply Chain Attacks

Post Views: 12

GitHub has implemented a significant change to the NPM ecosystem, halting the automatic execution of scripts from dependencies by default, following a surge in supply chain attacks.

Key Changes in NPM 12

NPM 12, scheduled for release in July, will block script execution by default for preinstall, install, and postinstall phases. This shift aims to mitigate risks associated with untrusted dependencies.

Impact on Native Node-Gyp Builds

The update affects native node-gyp builds, such as packages containing a binding.gyp file without explicit install scripts, as well as prepare scripts from git, file, and link dependencies.

Security Loopholes Addressed

Git dependencies—whether direct or transitive—will no longer resolve during npm install unless explicitly permitted. Remote URL dependencies will also be restricted in NPM 12, excluding HTTPS tarballs unless developers use the `allow-remote` flag.

Developer Actions and Tools

Developers can assess the impact of the change by running the command `npm approve-scripts allow-scripts-pending` to generate an allowlist of trusted packages. This list is stored in package.json, and users of NPM 11.16.0 or later will receive warnings if their installation process triggers scripts.

Security Warnings and Allowlists

Users of NPM 11.16.0 or later will receive warnings if their installation process triggers scripts. The `npm approve-scripts allow-scripts-pending` command helps developers ensure only authorized scripts execute after upgrading.

Security Incidents and Industry Response

The update follows multiple high-profile supply chain breaches, including the compromise of over 5,500 GitHub repositories in the “Megalodon” attack and the infiltration of 32 Red Hat NPM packages. Other incidents, such as the breach of 3,800 internal GitHub repositories and the theft of Grafana’s codebase via the TanStack supply chain attack, underscore the urgency of these changes.

Broader Industry Efforts

Developers are urged to proactively review their dependency chains and adjust configurations to align with the new security framework. The shift reflects a broader industry effort to address evolving threats in software development workflows.

GitHub advises users to upgrade to NPM 11.16.0 or later, perform a standard install, and review warnings.

Conclusion

The NPM 12 update marks a critical step in securing the software supply chain. By default, blocking script execution and tightening dependency controls, GitHub aims to protect developers from increasingly sophisticated attacks. Proactive measures, such as reviewing dependencies and using allowlists, are essential for maintaining security in modern development workflows.