The era of simply running 'npm install' to execute code is coming to an end, as npm plans to disable automated script execution by default.
The JavaScript package management tool 'npm' is scheduled to implement a change in its 'npm v12' release, which is expected in July 2026. This change will prevent the script that is automatically executed when installing dependent packages from running by default.
Upcoming breaking changes for npm v12 - GitHub Changelog
When installing packages using npm, developers run 'npm install' in the terminal. This is a familiar process in Node.js development because it conveniently downloads all dependent packages as well.
Some packages include scripts that perform configuration and build tasks during installation, meaning that simply running `npm install` can cause the code to run on the developer's PC or on a CI server that automatically tests and builds the program. While this mechanism is normally used for building native extensions and generating auxiliary files, if a malicious or compromised package is included, the installation process itself can become an entry point for an attack.
In npm install versions up to v11, it was standard practice for scripts such as 'preinstall,' 'install,' and 'postinstall' included in dependent packages to be automatically executed at specific times, such as before and after installation. While this allowed for setup to be completed simply by installing a package, a problem arose because it executed processes for dependent packages that developers had not checked.
GitHub has announced that in npm v12, they plan to move away from a system that relies on automatic execution and switch to a system that only allows execution of packages trusted by developers and projects. In npm v12, 'allowScripts' will be turned off by default, and preinstall, install, and postinstall scripts of dependent packages will not be executed unless explicitly permitted by the project. The same applies to 'prepare' scripts included in the dependencies of Git, file, and link.
Furthermore, packages that use code written in C or C++ from Node.js sometimes use a build tool called 'node-gyp'. Even if a package has a 'binding.gyp' file and no explicit install script, npm would implicitly execute 'node-gyp rebuild'. In npm v12, this implicit node-gyp rebuild is also blocked without permission.
In addition to changes to script execution, npm v12 will also disable the ability to specify Git repositories as dependencies by default. While package.json allows you to specify dependencies that directly reference Git repositories such as GitHub, as well as versions on the npm registry, npm v12 will no longer resolve Git dependencies, whether direct or indirect, unless explicitly allowed with '--allow-git'.
The '.npmrc' file included in Git dependencies can sometimes rewrite the path to the Git executable, and even if you stop script execution with '--ignore-scripts', there may still be a path that leads to arbitrary code execution.
Similarly, dependencies that specify a remote URL will no longer be resolved by default.
When you run `npm install` with npm version 11.16.0 or later, you will receive a warning about packages whose script execution will be restricted in npm v12. Developers can also list packages that may be blocked using `npm approve-scripts --allow-scripts-pending`, allow trusted packages with `npm approve-scripts`, and deny packages they don't want to allow with `npm deny-scripts`. This permission and denial information is recorded in `package.json`, and it is recommended to commit it to the repository for team sharing.
Related Posts:
