applyloginsubscribe
Source linked

npm v12 Block Install Scripts، Git Deps، و Tarballs عن بعد

github.blog@systems_wire5 hours ago·Developer Tools·2 comments

تتيح npm v12، التي تنتهي في يوليو 2026، إدخال ثلاث إعدادات أمنية حاسمة: الملفات، والتحكمات في Git، و tarballs عن بعد.

npmgithubnode jssupply chain securitypackage managementsecurity

Come July 2026, npm install will stop running preinstall, install, and postinstall scripts from dependencies unless you explicitly allow them. That includes native node-gyp rebuilds — even a package with only a binding.gyp and no explicit install script gets blocked because npm runs an implicit rebuild.

Three Defaults That Flip from Implicit to Explicit

First: allowScripts defaults to off. No more automatic execution of lifecycle scripts from your dependency tree. Second: --allow-git defaults to none — Git dependencies, direct or transitive, will refuse to resolve unless you explicitly pass --allow-git. This closes a nasty code-execution path where a Git dependency’s .npmrc could override the Git executable, even with --ignore-scripts. Third: --allow-remote defaults to none — HTTPS tarballs and other remote URLs become opt-in.

The related --allow-file and --allow-directory flags are not changing their defaults in v12. Those stay as they are.

How to Audit and Allow Scripts Now

Upgrade to npm 11.16.0 or later, run npm approve-scripts --allow-scripts-pending to see every package that would be blocked. Approve the ones you trust with npm approve-scripts and block the rest with npm deny-scripts. The resulting allowlist lives in package.json and should be committed. Anything you leave unapproved will stop working when v12 lands.

For npx and global installs, the same allow-scripts config applies.

What This Means for Build Pipelines

If your CI pipeline runs npm install and relies on postinstall hooks for native modules (think sharp, protobuf, or any package with a prebuild step), you’ll see warnings immediately in npm 11.16.0+. Ignoring them means broken builds in July 2026. The shift is deliberate: npm is treating every script as a potential supply-chain attack, even from packages you trust today.

Start running npm 11.16.0 today, run npm approve-scripts, and commit that package.json — otherwise your July upgrade will break every build with a postinstall step.

Source: Upcoming breaking changes for NPM v12
Domain: github.blog

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Developer Tools

view topic
Mach Language Hits Self-Hosting, Promises C Replacement Without the Baggage

After two years of development, Mach achieves full self-hosting with zero external dependencies and a philosophy that bans implicit behavior.

Datadog Processes Millions of Weekly Android Profiles via ProfilingManager API

Android 15's system-level ProfilingManager API lets Datadog collect call stacks and heap dumps from production devices, exposing root causes like a background service stealing the big CPU core during cold start.

Vite's 129M Weekly Downloads Just Got a Cloudflare Backstop

Cloudflare acquires VoidZero - the team behind Vite, Vitest, Rolldown, and Oxc - with a $1M ecosystem fund and a promise to keep the toolchain vendor-neutral, as AI agents drive adoption past 129M weekly downloads.

Google Ships a CLI for Colab That Hands GPUs to Your Terminal

New Colab CLI lets developers and AI agents spin up GPU runtimes from the command line, run local scripts remotely, and pull down artifacts like fine-tuned Gemma 3 adapters.

Comments load interactively on the live page.