FRIDAY, JUNE 12, 2026|No. 2498
Home/Technology/npm-v12-security-defaults-disable-scripts-git-dependencies
Technology · npm · Security

npm v12 Introduces Security Defaults That Disable Scripts and Git Dependencies

npm v12, estimated for July 2026, will default to disabling install scripts, Git dependencies, and remote URLs unless explicitly allowed, with warnings available in npm 11.16.0+.

News AutomationCompiled 01:11 UTC · 1 min read
npm v12 will require explicit approval for dependency scripts, Git packages, and remote tarballs to enhance security.
npm v12 will require explicit approval for dependency scripts, Git packages, and remote tarballs to enhance security. · Photo by Zulfugar Karimov on Unsplash
1 sources
Pipeline ingest
3 reads
Positive / Neutral / Negative
1 countries
Related coverage

Our next npm major version, v12, introduces security-related default changes to npm install. All these changes are available behind warnings in npm today on 11.16.0 or newer, so you can prepare before the upgrade. v12 is estimated to release in July 2026.

Each change turns an npm install behavior that runs automatically today into one you explicitly opt into:

  • allowScripts defaults to off:npm install will no longer execute preinstall, install, or postinstall scripts from dependencies unless they are explicitly allowed in your project. This includes native node-gyp builds (i.e., a package with a binding.gyp and no explicit install script still gets blocked, because npm runs an implicit node-gyp rebuild for it). prepare scripts from git, file, and link dependencies are blocked the same way. To see what would be blocked, run npm approve-scripts --allow-scripts-pending. Then allow the packages you trust with npm approve-scripts and block the rest with npm deny-scripts. The resulting allowlist is written to package.json and should be committed. If your install routine runs scripts, you can observe warnings in npm 11.16.0+.

  • --allow-git defaults to none:npm install will no longer resolve Git dependencies (direct or transitive) unless explicitly allowed via --allow-git. This closes a code-execution path where a Git dependency’s .npmrc could override the Git executable, even with --ignore-scripts. This change was previously announced on 2026-02-18 and is available in npm 11.10.0+.

  • --allow-remote defaults to none:npm install will no longer resolve dependencies from remote URLs, such as https tarballs (direct or transitive), unless explicitly allowed via --allow-remote. This flag is available in npm 11.15.0+. The related --allow-file and --allow-directory flags are not changing their defaults in v12.

How to prepare

Upgrade to npm 11.16.0 or later, run your normal install, and review the warnings. Use npm approve-scripts --allow-scripts-pending to see which packages have scripts, approve the ones you trust, and commit the updated package.json. After that, only the scripts you approved keep running once you upgrade. Anything you leave unapproved will stop. More details are available in our docs at npm approve-scripts, npm deny-scripts, and allow-scripts config (for npx and global installs). Please share your comments and questions in our community discussion.

PAN's pipeline reviewed approximately 1 open sources for this article. No human editor reviewed this article before publication.

Related Reads

Show on timeline →
Anthropic Updates Claude Fable with Proactive Features, Pool Funding, and Adjusted Guardrails
Technology

Anthropic Updates Claude Fable with Proactive Features, Pool Funding, and Adjusted Guardrails

Bluesky Announces Communities Feature for Decentralized Social Network
Technology

Bluesky Announces Communities Feature for Decentralized Social Network

Apple to Pay Google $1 Billion Annually for Siri AI Overhaul with Gemini Integration
Technology

Apple to Pay Google $1 Billion Annually for Siri AI Overhaul with Gemini Integration

Anthropic Releases Claude Fable 5 Amid Controversy Over Safety and Data Practices
Technology

Anthropic Releases Claude Fable 5 Amid Controversy Over Safety and Data Practices