npm Is About To Stop Trusting Install Scripts
On June 9, 2026, GitHub published a changelog announcing breaking changes for npm v12, estimated to ship in July 2026. The headline change is the one that has been a long time coming: npm will no longer run a dependency's lifecycle scripts automatically when you install it.
For years, running npm install has quietly executed arbitrary code from your dependencies through preinstall, install, and postinstall scripts. That single behavior is the number one reason supply-chain attacks on npm work: compromise a package, add a malicious postinstall, and every npm install in every developer machine and CI pipeline runs your code. npm v12 closes that default. It is the right move, and it will also break some builds, so the time to prepare is now, before July.
What Actually Changes In npm v12
Per GitHub's changelog, in npm v12:
preinstall,install,postinstallandpreparescripts from dependencies will not run by default. You opt them back in per package through an allowlist.- Native
node-gypbuilds are blocked too. A package with abinding.gypand no explicit install script still gets blocked, because npm runs an implicitnode-gyp rebuild. That catches a large slice of native modules. preparescripts from git, file, and link dependencies are blocked the same way.- Git dependencies are blocked unless explicitly allowed with
--allow-git(available since npm 11.10.0). This also closes a code-execution path where a Git dependency's.npmrccould override the Git executable even with--ignore-scripts. - Remote URL and tarball dependencies are blocked unless allowed with
--allow-remote(available since npm 11.15.0).
The approval mechanism is an allowlist written into your package.json and committed to your repo, so your team and your CI share one source of truth about which packages are trusted to run code.
Why This Is Happening
GitHub ties the change to the wave of npm supply-chain attacks, including the self-replicating Shai-Hulud campaigns and a string of package hijacks. Malicious lifecycle scripts have been the common thread in nearly all of them. Turning off automatic script execution removes the easiest path attackers have to get code running the moment a poisoned package lands in your tree. It is the same hardening direction as npm's earlier publishing-side controls, which we covered in our note on the npm staged publishing approval gate, but this one protects the consumer side of the ecosystem.
What Will Break In Your CI
This is where teams need to pay attention, because npm install runs constantly in CI. The honest triage:
- Pure-JavaScript dependencies are unaffected. Most of your tree has no install scripts and will keep working exactly as before.
- Native modules will break until approved. Anything that compiles on install through
node-gyp(database drivers, image and crypto libraries, some headless-browser tooling) will not build unless you allow it. - Tools that rely on
postinstallwill break. Git-hook managers, certain CLIs that download binaries, and build tooling that wires itself up inpostinstallwill silently stop doing that work until allowed. - Git and URL dependencies will fail to resolve unless you add
--allow-gitor--allow-remote.
A build that depended on any of these and is not pre-approved will not error in an obvious "blocked a script" way as much as it will break later, when the thing the script was supposed to set up is simply missing. That is exactly why you want to surface and fix this before v12 forces it.
How To Prepare Before July
GitHub's migration path, and the one we would run for a client, is straightforward:
- Upgrade to npm 11.16.0 or later now. This version warns you about scripts without yet blocking them.
- Run a normal install and read the warnings. They tell you which packages in your tree have lifecycle scripts.
- Surface them with
npm approve-scripts --allow-scripts-pending, then allow the ones you actually trust and need withnpm approve-scripts, and block the rest withnpm deny-scripts. - Commit the allowlist in
package.jsonso every developer and every CI runner uses the same trusted set. - Test your pipeline with scripts blocked before v12 lands, so any missing native build or postinstall step shows up on your schedule, not in a failed production deploy in July.
- Audit your git and URL dependencies. Where you genuinely need them, add
--allow-gitor--allow-remote. Where you do not, this is a good prompt to remove them.
The Bigger Picture
This is the JavaScript ecosystem finally closing a default-trust hole that should never have been open. There will be short-term friction, a few broken builds, and a one-time audit of every package that wants to run code on your machines. That audit is the point. After it, you have an explicit, committed record of exactly which dependencies are trusted to execute code in your pipeline, which is a far stronger position than "all of them, automatically."
Getting a fleet of pipelines ready for this kind of change without breaking deploys is the day-to-day of our CI/CD pipeline and DevOps as a service work. If your builds lean on native modules or postinstall tooling, the cheap move is to run the npm 11.16.0 audit now rather than meet it as a surprise in July.
Sources
The facts above are drawn from GitHub's official changelog "Upcoming breaking changes for npm v12" (published June 9, 2026). Version numbers, the allowlist commands, and the July 2026 estimate are quoted from that announcement; confirm the exact release date against the changelog as v12 nears.
Talk to the engineer who will own your stack.
No account managers, no offshore handoff. Senior DevOps, direct. Tell us what you are dealing with and you get a straight answer.
Related News
OpenSSL 3.0 Stops Getting Security Fixes in September and You Probably Still Ship It
OpenSSL 3.0 stops receiving all fixes, including security fixes, after September 7, 2026, and the 3.4 line follows on October 22. For most teams the distro backports cover it, but self-compiled, vendored, and container-bundled OpenSSL go quietly unpatched. Here is who is actually exposed and how to check.
SecurityFrom September 11 the EU Cyber Resilience Act Puts a 24-Hour Clock on Exploited Vulnerabilities and Most Makers Have No Runbook
From 11 September 2026, Article 14 of the EU Cyber Resilience Act forces makers of products with digital elements to report actively exploited vulnerabilities within 24 hours, with a 72-hour follow-up and a 14-day final report. It is the first binding CRA deadline, and the hard part is operational: detecting, triaging, and filing a conformant report inside a single day.
SecurityIf You Use Gravity SMTP On WordPress Rotate Your Email API Keys Now
CVE-2026-4020 in the Gravity SMTP WordPress plugin (about 100,000 installs) lets an unauthenticated attacker pull your email provider API keys straight off the site, and bots are mass-exploiting it. It is rated CVSS 7.5 (High). Here is what leaks, why it deserves immediate attention, and the patch-and-rotate steps.