Kai Ole Hartwig
4 min read
Medium

npm v12: install scripts are now off by default — what it means for your CI

npm v12 marks one of the biggest security course corrections in the ecosystem in years: allowScripts defaults to off starting with this version. preinstall, install and postinstall scripts, plus implicit node-gyp builds, no longer run automatically on npm install — precisely the mechanism that delivered most npm supply-chain worms in recent years. Per the GitHub changelog, the release is announced for July 2026, with warnings already live since npm 11.16.0. Anyone who doesn't prepare risks broken CI pipelines on upgrade day.

What's changing?

npm v12 flips the previous default: install scripts from dependencies no longer run automatically, only after explicit approval. This covers preinstall, install, postinstall, and implicit node-gyp builds (native modules). It also blocks prepare scripts from git, file and link dependencies. Two related changes, announced back in February 2026, land alongside it: direct or transitive git dependencies no longer resolve without --allow-git (available since npm 11.10.0), and dependencies from remote sources like HTTPS tarballs require --allow-remote (available since npm 11.15.0).

Why it matters

Install scripts have been the preferred execution path for npm supply-chain malware for years — from classic credential stealers to self-propagating worms like the ones documented on this blog (binding.gyp/node-gyp abuse, IronWorm, Miasma). A default that turns scripts off shifts the attack surface substantially: attackers now additionally need to get users to explicitly approve their package, instead of relying on automatic execution on npm install. Important context: this doesn't close every attack vector — the jscrambler incident of 11 July 2026 (see our separate post) shows that from certain versions onward, payloads can run entirely without an install hook, directly at module import. Install-scripts-off is an important line of defense, but not the only one.

What to do now

Before upgrading

 

# update to npm 11.16.0+ to see warnings
npm install -g npm@11
npm --version
# shows which packages ship install scripts
npm approve-scripts --allow-git-pending

 

Approve trusted packages

 

# interactively choose which packages may run scripts
npm approve-scripts
# the result lands in package.json — commit and version it

 

Prepare CI pipelines

 

# explicitly test whether the build still passes without automatic scripts
npm ci --ignore-scripts
# for native modules, add an explicit build step instead of relying on postinstall

 

Check git/remote dependencies

 

# check whether package.json references git or remote-URL dependencies
grep -E "git\+https|git://|https://.*\.tgz" package.json
# add flags if these dependencies are genuinely needed
npm install --allow-git --allow-remote

Frequently asked questions about npm v12

How do I handle legitimate native modules that need a build step?+

Approve them explicitly via npm approve-scripts and commit the result in package.json — that keeps the approval reproducible and visible in code review instead of running implicitly.

Does this fully protect against npm supply-chain attacks?+

No. It closes the most common execution path, but newer attacks (see the jscrambler incident, July 2026) already show payloads running at module import instead of via install scripts. Additional controls like version pinning and egress filtering remain necessary.

Will this break my existing CI?+

Possibly, if your pipeline relies on automatically-run postinstall scripts or implicit node-gyp builds. Test ahead of time with npm ci --ignore-scripts and set up an allowlist via npm approve-scripts.

When exactly does npm v12 ship?+

Per the GitHub changelog it's announced for July 2026; warnings on affected packages are already visible since npm 11.16.0. An exact ship date wasn't officially fixed at the time of writing — check the npm blog/changelog before upgrading production.

Conclusion

npm v12 is one of the biggest structural improvements to npm security in a long time — but not a license to switch off your own vigilance. Anyone who checks lockfiles and CI pipelines for implicit install scripts now and builds a deliberate allowlist will get through the upgrade without breakage while cutting down the still-largest single vector for npm supply-chain incidents.

Sources

I get your CI pipelines ready for npm v12 — script allowlist, build adjustments and regression testing included.

Audit of your package.json/lockfiles for implicit install scripts and git/remote dependencies, building a versioned approve-scripts allowlist, adjusting CI build steps for native modules.

Platform operations instead of advice on paper: I test and harden your npm/CI pipeline against both the v12 upgrade and ongoing supply-chain risk.

Book a call

About the author

[Translate to English:] Foto von Kai Ole Hartwig.

Kai Ole Hartwig

Freelance DevSecOps consultant · OnlyOle Consulting

Programming since 2002 – self-taught, set up my own business with KO-Web in 2012. Over 100 projects, with a focus on security, performance, automation and quality. Today freelance: DevSecOps consulting, training and software development.