GitHub has announced that npm version 12, due next month, will disable install scripts by default. It calls install-time lifecycle scripts “the single largest code-execution surface in the npm ecosystem,” because npm install runs scripts from every transitive dependency, so one compromised package anywhere in the tree can execute arbitrary code on a developer machine or CI runner. In v12, script execution becomes opt-in: developers approve trusted packages with npm approve-scripts, native node-gyp builds are blocked unless approved, and –allow-git now defaults to none, closing a path where a Git dependency’s .npmrc could override the Git executable even with –ignore-scripts set.
Why it matters to the security leader: this is a default-trust inversion at ecosystem scale. For years the npm bargain was “trust everything unless you opt out.” Flipping it to “trust nothing unless you opt in” rewrites the threat model for every CI pipeline that pulls Node dependencies, and it follows npm’s earlier min-release-age control that rejects very new package versions.
The signal underneath: the industry is conceding that implicit trust in the dependency tree is indefensible and is moving the burden of proof onto packages rather than defenders. Expect friction, because native builds and prepare scripts from git, file, and link dependencies will break until explicitly approved. Security leaders should not wait for v12 to ship: upgrade to npm 11.16.0 or newer now, run a normal install, review the warnings, and approve only the scripts you trust so the upgrade is a non-event rather than a wave of failed pipelines.
Source: The Hacker News.
Related on this site: Red Hat npm Packages Compromised: Risks to Developer Credentials and Supply Chain Security.
