npm v12 Install Security: allowScripts Migration Guide
GitHub's June 9 changelog says npm v12 will turn several install-time behaviors into explicit opt-ins. The change is scheduled for July 2026, while npm 11.16.0+ already exposes warnings teams can use to prepare.
Technical Signals
- Script Default: dependency preinstall, install, and postinstall scripts stop running unless approved.
- Native Addons: implicit node-gyp rebuild behavior is covered, so native packages need explicit approval.
- Git Dependencies: --allow-git defaults to none, closing a code-execution path through Git dependency resolution.
- Remote Tarballs: --allow-remote defaults to none for remote URL and tarball dependencies.
What Changed
The core shift is that package installation becomes less ambient. Today, many projects rely on packages running scripts as a side effect of install. In npm v12, the safer assumption is that those scripts are blocked until the project declares them acceptable.
That is a meaningful supply-chain hardening move because install scripts run before developers have reviewed the installed package. Attackers regularly target this phase because it touches CI runners, developer laptops, package caches, and build secrets.
Migration Path
Upgrade local and CI environments to npm 11.16.0 or newer before moving to v12. Run normal installs, collect warnings, then execute npm approve-scripts --allow-scripts-pending to see which packages would be blocked.
Approve only packages that have a documented reason to run code during install. Deny everything else with npm deny-scripts, commit the resulting allowlist in package.json, and make that review part of dependency-update pull requests.
Production Risk
The breakage risk is highest for monorepos with native packages, build tools, private Git dependencies, and remote tarballs. Those projects should test under clean caches because local developer machines may hide missing approvals through previously built artifacts.
Teams should also check Dockerfiles and deployment images. A build that works on a laptop can still fail inside a minimal image if the script approval list was not committed or if the image pins an older npm version.
Adoption Checklist
Start by listing packages that compile native code. Then remove remote tarball dependencies where possible, replace Git dependencies with registry packages, and document any exception that requires --allow-git or --allow-remote.
The best rollout pattern is warning-only first, approval list second, and npm v12 last. That gives security teams a clear audit trail while preserving delivery velocity.