https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/
GitHub has announced a series of significant security enhancements to the npm package registry in a determined effort to combat the growing threat of software supply chain attacks, with the changes introducing restrictions to how npm handles package installation and dependency resolution. Starting in version 12, npm install will no longer automatically run preinstall, install, or postinstall scripts from dependencies unless they have been explicitly approved by the user. This change also extends to native module builds triggered through node-gyp, as well as prepare scripts from Git, local file, and linked dependencies, effectively closing off a widely exploited avenue for malicious code execution during the package installation process.
In a further tightening of dependency controls, npm install will cease fetching dependencies from Git repositories, whether direct or transitive, unless explicitly permitted by the user. GitHub identified this as a critical security gap, noting that a Git dependency’s .npmrc file could previously be used to manipulate which Git executable was invoked, even in environments where install scripts had been disabled. By removing this code execution pathway entirely, GitHub aims to significantly reduce the ability of threat actors to smuggle malicious behaviour into projects through seemingly legitimate Git-based dependencies.
The third major change targets remote URL dependencies, with npm install no longer resolving dependencies fetched from remote URLs such as HTTPS tarballs unless they have been explicitly authorised. This restriction applies to both direct and transitive dependencies, addressing a longstanding concern that remote URL resolution could be abused to silently introduce unvetted or malicious code into a project’s dependency tree without the developer’s knowledge.
Taken together, the three changes represent a meaningful shift towards a more explicitly permissioned and security-conscious approach to package management within the npm ecosystem.