npm v12 introduces security defaults blocking scripts and Git dependencies
Original: Upcoming breaking changes for npm v12
Why This Matters
Significant security hardening of npm package installation defaults
GitHub announces npm v12 breaking changes for July 2026, defaulting to block dependency scripts, Git repositories, and remote URLs unless explicitly allowed. Changes available as warnings in npm 11.16.0+ for preparation.
npm v12, releasing July 2026, introduces three major security changes. allowScripts defaults to off, blocking preinstall, install, and postinstall scripts from dependencies including node-gyp builds unless explicitly approved. --allow-git defaults to none, preventing Git dependency resolution to close code execution paths. --allow-remote defaults to none, blocking remote URL dependencies like https tarballs. Users can prepare by upgrading to npm 11.16.0+, reviewing warnings during normal installs, and using npm approve-scripts --allow-scripts-pending to see affected packages. Approved packages are written to package.json and should be committed. The changes turn automatic behaviors into explicit opt-ins for enhanced security.