GitHub Automates Disabling npm Installs to Block Supply

GitHub announced a significant security-focused update to the Node Package Manager (npm). The forthcoming npm v12 release introduces breaking changes specifically designed to significantly reduce software supply chain attack risks.

The update, expected in July 2026, will turn off automatic execution of installation scripts by default, one of the most commonly abused mechanisms in malicious npm packages.

In npm v12, the new allowScripts configuration will be set to off by default. This means that npm install will no longer execute preinstall, install, or postinstall scripts from dependencies unless developers explicitly approve them.

These scripts have historically been a key attack vector, allowing threat actors to execute arbitrary code during package installation.

GitHub Disable npm Script Installs

The restriction also extends to implicit behaviors, such as node-gyp rebuild, which is automatically triggered for native modules that contain a Gyp file.

Additionally, preparing scripts from Git, local files, and linked dependencies will be blocked unless explicitly permitted.

Developers can preview which scripts would be blocked using the command:

                  npm approve-scripts --allow-scripts-pending

Trusted packages can then be allowlisted using npm approve-scripts, while untrusted ones can be blocked via npm deny-scripts.

The approved script list is stored in the package.json file and should be committed to version control.

npm v12 also introduces stricter controls on external dependency sources:

–allow-git will default to none, preventing npm from resolving Git-based dependencies unless explicitly enabled.

–allow-remote will also default to none, blocking installation of packages from remote URLs such as HTTPS tarballs.

These changes close critical attack paths where malicious packages could exploit Git dependencies.

Notably, attackers have previously abused .npmrc configurations in Git repositories to override system binaries even when script execution was turned off via –ignore-scripts.

To help developers prepare, these changes are already partially implemented in npm versions 11.10.0 through 11.16.0 with warning mechanisms.

GitHub recommends upgrading to npm 11.16.0 or later to identify potential disruptions in existing workflows.

By running a standard install process, developers can observe warnings about blocked behaviors and begin transitioning to the new opt-in model.

This shift reflects a broader industry effort to secure the open-source software supply chain, which attackers have increasingly targeted through typosquatting, dependency confusion, and malicious package updates.

By requiring explicit trust declarations for script execution and external sources, npm v12 introduces a zero-trust-like model for dependency installation. This reduces the risk of silent compromise during routine development operations.

For organizations relying heavily on third-party packages, these changes will require adjustments to CI/CD pipelines and dependency management practices.

However, the trade-off is a more secure and transparent software development process that aligns with modern secure-by-default principles.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.