Upcoming breaking changes for npm v12
Points and comments are a snapshot, not live.
npm v12 will block install scripts, Git dependencies, and remote URLs by default, requiring explicit allowlists.
npm v12, releasing July 2026, introduces three security-focused breaking changes to npm install defaults. The allowScripts flag defaults to off, blocking preinstall, install, postinstall, and prepare scripts unless explicitly approved via npm approve-scripts commands. The allow-git flag defaults to none, preventing Git dependency resolution without explicit permission. The allow-remote flag defaults to none, blocking remote URL dependencies. All three changes are available as warnings in npm 11.16.0 and later. Users should upgrade to npm 11.16.0+, run their normal install, review warnings, and use npm approve-scripts --allow-scripts-pending to audit and approve trusted packages before upgrading to v12.
What commenters are saying
GitHub ownership of npm prompted discussion about the company's history. A former npm team member stated the team was laid off post-acquisition to focus on Copilot. Commenters debated whether the breaking changes sufficiently address supply chain risks. One user proposed that Node's permission system is broken by design compared to Deno's, which grants granular file-system and network permissions per dependency with user prompts. Others noted the changes still leave build-time execution uncontrolled and questioned whether the compromise window merely shifts from installation to first run rather than eliminating the risk.
A technical correction noted that npm approve-scripts already pins allowlists to specific versions in lockfiles, addressing one concern about hash verification.