NPM has announced new version (v12) of the npm package manager in a bid to prevent software supply chain attacks.

In a blog post published on June 9, The team of npm developers at Microsoft-owned GitHub announced three security-focused breaking changes that will transition the package manager from a model of implicit trust to explicit opt-in.

Available from July 2026, these changes represent a fundamental shift in how the ecosystem handles dependencies.

In npm v12, three historically permissive defaults will be flipped:

• Blocked install scripts: Running npm install will no longer automatically execute background scripts (such as preinstall, install, postinstall or native C/C++ builds like node-gyp rebuild), preventing malicious code from immediately executing during installation
• Blocked Git dependencies: Resolving dependencies directly from custom Git URLs will be blocked by default to prevent attackers from using custom Git configurations to bypass script restrictions
• Blocked remote URLs: Sourcing packages directly from external URLs or HTTPS tarballs instead of official registries will be forbidden by default unless explicitly permitted

To prepare for this transition, developers can already upgrade to the current npm version 11.16.0 or newer to receive optional warnings. They can also use the new npm approve-scripts command to audit their dependencies, identify blocked scripts and build a local policy allowlist directly in their package.json file.

Closing One Door May Open Others, Security Experts Caution

Isaac Evans, founder and CEO of Semgrep, supported this shift, and noted that the economic realities of software supply chain attacks demand structural defenses rather than relying on developers to individually catch every threat.

"It's become clear that the economics of supply chain attacks have shifted. Worms like Miasma do not need a perfect hit rate. They are cheap to modify, cheap to rerun, and easier to extend now that parts of the playbook have been exposed,” he said.

“That makes stronger defaults around install scripts and non-registry dependencies a meaningful step."

He also noted that the overall response is moving toward structural guardrails instead of asking every developer to catch every bad package in time.

However, Evans warned that as public package managers close these doors, attackers will pivot to private corporate repositories like Artifactory and Nexus. As he put it, "If npm and PyPI close off easier paths, attackers will look for the next trusted layer."

Vulnerability researcher Paul McCarty, also known as 6mile, offered a more cautious perspective, warning that while the updates address long-standing flaws, they could also border on security theatre if they lead to developer friction.

In an analysis published on his website, Open Source Malware, on June 10, McCarty commended GitHub for retiring these three highly vulnerable defaults but said he remains concerned about the timeline for widespread adoption.

Furthermore, he added fearing that because build completion is a developer's primary objective, many will simply blind-approve blocked scripts to bypass the warnings.

"When the choice is 'this builds' and 'this is less prone to malware', the former will always win,” McCarty cautioned.

He also highlighted an unintended consequence for security researchers, warning that benign package maintainers may resort to suspicious-looking workarounds to bypass the new blocks.

"The benign and the malicious converge on the same suspicious-looking pattern. We end up triaging a flood of weird-but-fine packages to find the weird-and-actually-bad ones and the bad ones get better cover precisely because so much legitimate behavior now looks the same way,” he warned.