importantSYS.SOURCE: The Hacker News• 2026-07-09T22:19:02+05:30
npm 12 Enhances Supply Chain Security by Disabling Default Install Scripts
#npm#supply chain security#DevSecOps#package management#software security
npm 12 enhances supply chain security by making install scripts and remote dependencies opt-in by default, reducing risks from malicious code execution. It also deprecates 2FA-bypass tokens and introduces stricter controls for package management and authentication.
GitHub has officially announced the release of npm version 12 with install scripts disabled by default, along with deprecating granular access tokens (GATs) designed to bypass two-factor authentication (2FA).
The Microsoft-owned subsidiary noted that the following npm install behaviors that used to run automatically before have been made opt-in -
allowScripts defaults to off, meaning
*** END OF TRANSMISSION ***