GitHub to tighten npm security defaults in v12 release
Git and remote dependencies will require explicit approval, while unapproved package scripts will cease execution, as part of a broader security hardening effort.
GitHub has announced that the upcoming npm v12 release, estimated for July 2026, will introduce significant security-related breaking changes to the default behaviour of npm install. The update aims to mitigate supply chain risks by disabling the automatic resolution of Git dependencies and remote URL dependencies, setting the --allow-git and --allow-remote flags to none by default. Furthermore, package scripts that have not been explicitly approved will no longer run automatically.
These measures address specific vulnerabilities, such as a code-execution path where a Git dependency’s .npmrc file could override the Git executable, even when the --ignore-scripts flag is used. The --allow-git change was previously announced on 18 February 2026 and has been available in npm 11.10.0 and newer. The --allow-remote flag became available in npm 11.15.0 and newer. The related --allow-file and --allow-directory flags will not change their defaults in v12.
To assist developers in preparing for these changes, the new security defaults are currently available behind warnings in npm versions 11.16.0 and newer. Developers are advised to upgrade to npm 11.16.0 or later, run their normal install, and review the warnings generated by the system. This allows teams to identify and address potential disruptions before the major version upgrade.
GitHub recommends using the npm approve-scripts --allow-scripts-pending command to review and approve scripts before upgrading. By using this tool, developers can see which packages have scripts, approve the ones they trust, and commit the updated package.json. After this process, only the scripts that have been explicitly approved will continue to run once the upgrade to v12 is complete.
Anything left unapproved will stop running after the upgrade. More details regarding these changes are available in the npm documentation on approve-scripts, deny-scripts, and the allow-scripts config for npx and global installs. GitHub has invited comments and questions in its community discussion.
