← Back to all briefs
Security50s read

npm v12 Will Default allowScripts to Off, Blocking Automatic Install Script Execution

Coming in July 2026, npm v12 disables automatic install scripts, git dependencies, and remote URL resolution by default. Every frontend team needs an allowlist before the upgrade lands.

npm v12, expected in July 2026, will ship with allowScripts defaulting to off. No preinstall, install, or postinstall scripts from dependencies will execute unless you have explicitly approved the package. Native node-gyp builds are blocked too. This is the most significant npm security change in years, and a direct response to the Miasma supply chain attacks that backdoored dozens of packages through compromised preinstall hooks.

Two companion defaults are also flipping. --allow-git defaults to none, blocking Git dependency resolution and closing a code execution path where a dependency's .npmrc could hijack the Git binary. --allow-remote defaults to none, blocking resolution from remote URL tarballs. Local file and directory dependencies are not affected.

The migration path is already available in npm 11.16.0. Upgrade now, run a normal install, and review the warnings. Use npm approve-scripts --allow-scripts-pending to see which packages have install scripts. Approve the ones you trust, deny the rest, and commit the resulting allowlist in package.json. Anything left unapproved stops working after the v12 upgrade.

If your team has not checked which dependencies run code during npm install, do it now. The Miasma attacks proved a single compromised account can inject a preinstall script into packages with millions of downloads. npm v12 makes that vector opt-in instead of opt-out. The tradeoff: you must explicitly approve every package that needs a build step, from native modules to TypeScript libraries that ship uncompiled. It is a small audit for removing the attack surface entirely.