GitHub turns off npm install scripts by default in v12

GitHub announced it will disable preinstall, install and postinstall scripts by default in npm version 12 and will block Git and remote URL dependencies unless developers enable them with –allow-git or –allow-remote. npm v12 is scheduled to ship next month.

The company described lifecycle scripts as the “single largest code-execution surface in the npm ecosystem,” noting that npm install runs scripts from every transitive dependency. That behavior can let a compromised package anywhere in a dependency tree execute code on a developer machine or a continuous integration runner.

Under the new defaults, npm install will not run preinstall, install or postinstall scripts from dependencies unless a project explicitly allows them. Git dependencies, direct or transitive, will not be resolved unless –allow-git is provided. Dependencies fetched from remote URLs, such as HTTPS tarballs, will not be resolved unless –allow-remote is provided.

Defaulting –allow-git to “none” aims to close a path where a Git dependency’s .npmrc file could override the Git executable and cause unexpected code execution even when flags like –ignore-scripts are used.

The change affects native builds. Packages that rely on node-gyp rebuilds can be blocked because npm performs implicit node-gyp rebuilds even when no explicit install script exists. Prepare scripts from git, file and link dependencies will be blocked in the same way as other lifecycle scripts.

GitHub recommends developers upgrade to npm 11.16.0 or newer, run a normal install and review the warnings that appear. Developers can run npm approve-scripts –allow-scripts-pending to list packages that contain scripts, approve the ones they trust and commit the updated package.json so approved scripts continue to run after upgrading.

Earlier this year npm added a min-release-age setting that lets registries reject package versions published fewer than a specified number of days earlier. That setting is intended to reduce the risk from freshly published malicious packages.

Projects that rely on Git or remote dependencies or that use packages that trigger node-gyp rebuilds will need to update configuration to explicitly allow those behaviors or approve specific scripts to keep installs working after the upgrade.