Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk

The Hacker News by The Hacker News
July 9, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananJul 09, 2026Supply Chain Security / DevSecOps

GitHub has officially announced the release of npm version 12 with install scripts disabled by default, along with deprecating granular access tokens (GATs) designed to bypass two-factor authentication (2FA).

The Microsoft-owned subsidiary noted that the following npm install behaviors that used to run automatically before have been made opt-in –

  • allowScripts defaults to off, meaning dependency lifecycle scripts (i.e., preinstall, install, postinstall) and implicit node-gyp builds no longer run unless explicitly allowed.
  • –allow-git defaults to none, meaning –allow-git defaults to none: Git dependencies (direct or transitive) are no longer resolved unless explicitly allowed.
  • –allow-remote defaults to none, meaning dependencies from remote URLs (e.g., https tarballs) are no longer resolved unless explicitly allowed.

To review and approve trusted scripts, users are now required to run: “npm approve-scripts –allow-scripts-pending,” then commit the resulting allowlist in the “package.json” file.

It’s worth noting that these changes were previewed last month, with GitHub recommending developers to upgrade to npm 11.16.0 or newer, run the normal install command, and review the warnings displayed.

The latest npm release version also introduces two new changes –

  • npm GATs configured to bypass 2FA will no longer be able to perform sensitive account, package, and organization management actions. This includes creating or deleting tokens, generating recovery codes and changing npm account password, email, profile, or 2FA configuration, changing package access, maintainers, or trusted publishing configuration, and managing organization and team membership as well as their package grants.
  • npm GATs will no longer retain the ability to publish directly. Their publishing surface will be limited to reading private packages and staging a publish, where a package only becomes public after a human 2FA approval.

The first of two changes is expected to take effect in early August 2026. In the interim, it’s advised to stop using 2FA-bypass tokens for the aforementioned operations and perform them interactively with 2FA. The second change is scheduled for January 2027.

“To prepare, plan to move automated publishing to trusted publishing (OIDC) or staged publishing with a human approval step, rather than a long-lived publish token,” GitHub said.

The development comes as pnpm 11.10 introduces a new “_auth” setting for configuring registry authentication as a single structured, URL-keyed value.

“The security benefit is that the credential and the host it belongs to travel together, and pnpm reads _auth only from the environment or the global config, never from a project’s files,” Socket explained.

“That means a malicious or compromised pnpm-workspace.yaml or .npmrc inside a repository cannot point a valid token at a different host. A tampered project file is a common way attackers get a foothold, and redirecting a registry token is a direct route to stealing it, so closing that path removes exposure.”



Source link

The Hacker News

The Hacker News

Next Post
Global Radio Masts and Towers Market to Reach USD 8.20 Billion by 2033, Expanding at 4.4% CAGR Driven by 5G Infrastructure Rollouts, Network Densification, and Broadcast Modernization: Verified Market Research

Global Radio Masts and Towers Market to Reach USD 8.20 Billion by 2033, Expanding at 4.4% CAGR Driven by 5G Infrastructure Rollouts, Network Densification, and Broadcast Modernization: Verified Market Research

Recommended.

CIOs bolster governance amid agentic AI push

CIOs bolster governance amid agentic AI push

September 18, 2025
Embedded world 2026 | Leading the Pet Tech Revolution: MQ771-GL Redefines Smart Pet Collars

Embedded world 2026 | Leading the Pet Tech Revolution: MQ771-GL Redefines Smart Pet Collars

March 11, 2026

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Anaconda Extends AI-Native Application Development With Acquisition

Anaconda Extends AI-Native Application Development With Acquisition

May 1, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio