GitHub announced that NPM version 12 will block dependency scripts by default to reduce supply chain abuse that has been used in attacks like TeamPCP and the Shai-Hulud worm. The change also affects git, file, link, and remote URL dependencies, and developers can use approve-scripts and allow flags to permit only trusted packages. #TeamPCP #ShaiHulud #NPM
Keypoints
- NPM version 12 will no longer run dependency scripts by default.
- The change is meant to stop supply chain attacks abusing npm install.
- Preinstall, install, and postinstall scripts must be explicitly approved.
- Node-gyp builds and some git, file, and link dependencies are also affected.
- Developers can review and allow trusted scripts with npm approve-scripts.