GitHub has released npm 12 with install scripts, Git dependencies, and remote URL dependencies disabled by default, requiring explicit approval through a new trust workflow. It also announced future restrictions on npm granular access tokens used to bypass 2FA, while pnpm 11.10 adds a safer structured _auth setting to better protect registry credentials. #npm #GitHub #pnpm #2FA
Keypoints
- npm 12 disables lifecycle scripts by default unless users explicitly approve them.
- Git-based and remote URL dependencies now require opt-in approval before installation.
- Trusted scripts must be approved with npm approve-scripts and saved in package.json.
- npm granular access tokens bypassing 2FA will lose sensitive account and organization management abilities.
- pnpm 11.10 introduces _auth to keep credentials tied to their registry host and out of project files.
Read More: https://thehackernews.com/2026/07/npm-12-disables-install-scripts-by.html