← Back to blog

npm 12 Tightens Security with Disabled Install Scripts

GitHub's latest npm update disables install scripts by default to reduce supply chain risks. The release also deprecates granular access tokens that could bypass 2FA.

TL;DR

  • npm v12 disables package install scripts by default to limit supply chain attack surfaces.
  • Developers must now explicitly enable scripts using the --allow-scripts flag.
  • Granular access tokens (GATs), which could override 2FA, are being deprecated.
  • These changes aim to harden the Node.js ecosystem against malicious package execution.
  • Teams should review their CI/CD pipelines and update workflows accordingly.

GitHub has released npm version 12, introducing significant security improvements aimed at reducing supply chain risks in the Node.js ecosystem. By default, the new version disables automatic execution of package install scripts—a common vector for malicious code injection.

In addition to script changes, npm 12 begins the deprecation process for granular access tokens (GATs) that were previously able to bypass two-factor authentication (2FA). These updates reflect ongoing efforts to strengthen developer workflow security and minimize potential exploitation paths.

Install Script Changes

  • The allowScripts option now defaults to false, requiring explicit permission to run package scripts during installation.
  • This change mitigates the risk of executing unintended or malicious code from third-party packages.
  • Developers can re-enable scripts on a per-project basis using the --allow-scripts CLI flag.
  • Projects relying on automated script execution will need configuration updates to maintain functionality.

Authentication Security Improvements

  • Granular Access Tokens (GATs), which previously could circumvent 2FA enforcement, are now deprecated.
  • This move strengthens account protection by ensuring 2FA remains effective across all token types.
  • Organizations should audit existing tokens and transition to supported authentication methods.
  • Future npm versions will fully remove support for legacy GAT behavior.

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

npm 12 Tightens Security with Disabled Install Scripts — Agent Breach Blog | Agent Breach