npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk

npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk
GitHub has released npm 12 with install scripts, Git dependencies, and remote URL dependencies disabled by default, requiring explicit approval through a new trust workflow. It also announced future restrictions on npm granular access tokens used to bypass 2FA, while pnpm 11.10 adds a safer structured _auth setting to better protect registry credentials. #npm #GitHub #pnpm #2FA

Keypoints

  • npm 12 disables lifecycle scripts by default unless users explicitly approve them.
  • Git-based and remote URL dependencies now require opt-in approval before installation.
  • Trusted scripts must be approved with npm approve-scripts and saved in package.json.
  • npm granular access tokens bypassing 2FA will lose sensitive account and organization management abilities.
  • pnpm 11.10 introduces _auth to keep credentials tied to their registry host and out of project files.

Read More: https://thehackernews.com/2026/07/npm-12-disables-install-scripts-by.html