GitHub says npm v12 will tighten npm install behavior by requiring explicit approval for dependency install scripts, Git-based dependencies, and remote URL sources that previously executed or resolved automatically. These changes are intended to block supply-chain abuse seen in campaigns affecting eslint-config-prettier, Toptalβs Picasso packages, data-stealing npm packages, and Shai-Hulud attacks. #npm #ShaiHulud #eslint-config-prettier #Picasso #node-gyp
Keypoints
- npm v12 will require explicit approval for dependency scripts and non-registry sources.
- preinstall, install, postinstall, and prepare scripts will no longer run by default.
- Git-based dependencies will not be fetched automatically unless permitted.
- Remote URL dependencies such as HTTPS tarballs will also need explicit approval.
- GitHub recommends upgrading to npm 11.16.0 to review warning messages before moving to v12.