npm 12 Now Blocks Scripts by Default for Safer Updates
Robert Moore ยท
Listen to this article~5 min
GitHub's npm 12 disables install scripts by default to cut supply chain risks. Granular access tokens that bypass 2FA are deprecated. Learn how this affects your workflow and what to do next for safer package management.
GitHub just dropped npm 12, and it's a big deal for anyone who works with JavaScript packages. The new version turns off install scripts by default, which is a solid move to cut down on supply chain attacks. They're also phasing out granular access tokens (GATs) that could bypass two-factor authentication (2FA). It's all about locking down your workflow without slowing you down.
Let me break down what's changing and why it matters for your daily dev life. This isn't just a minor update -- it's a shift in how we think about trust in open source.
### Why Install Scripts Were a Risk
Install scripts in npm packages can run arbitrary code on your machine during installation. Sounds handy, right? But it's also a huge security hole. Attackers can hide malicious code in those scripts, and you'd never know until it's too late.
With npm 12, the `allowScripts` setting is off by default. That means scripts won't run unless you explicitly opt in. This is like locking your front door -- it's a simple step that stops most random threats. You can still enable scripts for specific packages if you trust them, but the default is now safe.
### What Happened to Granular Access Tokens?
Granular access tokens were supposed to give you fine-grained control over permissions. But they had a flaw: they could bypass 2FA. That's a big no-no in today's security landscape. GitHub is deprecating them, pushing everyone toward more secure authentication methods.
If you were using GATs, you'll need to switch to personal access tokens (PATs) or OAuth tokens. It's a bit of a hassle, but it's worth it for the extra layer of protection. Think of it as upgrading from a padlock to a deadbolt.
### How This Affects Your Workflow
Here's the practical side. When you run `npm install` in version 12, nothing changes for most packages. But if a package relies on install scripts, you'll see a warning. You can then decide to trust it or skip it.
- **For package maintainers**: You'll need to update your docs to tell users they might need to enable scripts. Consider if you really need those scripts -- can you do the same thing with a postinstall hook?
- **For developers**: Get ready to see more prompts. It's a small inconvenience for a big security boost. You can always set `allowScripts=true` globally if you're in a trusted environment, but don't do that on production systems.
### The Bigger Picture on Supply Chain Security
This move is part of a larger trend. The software supply chain is under attack, and npm is one of the biggest targets. By disabling scripts by default, GitHub is raising the bar for everyone. It's not a silver bullet, but it closes a common attack vector.
Other package managers like pip and gem have similar protections. Now npm is catching up. If you're serious about security, this is a welcome change. Pair it with regular audits and dependency scanning, and you're in a much better spot.
### What You Should Do Next
First, update to npm 12 if you haven't already. Run `npm install -g npm@12` on your dev machines and CI pipelines. Then, review your projects for any packages that use install scripts. You can check with `npm query` to see which ones need them.
Second, migrate away from GATs. Create new PATs with the permissions you actually need. It's a good excuse to clean up old tokens and tighten access.
Finally, spread the word. Let your team know about these changes. A little awareness goes a long way in preventing supply chain attacks. This isn't just about npm -- it's about building a safer ecosystem for everyone.
A deeper breakdown of GoLogin Review 2026 โ Fast, affordable anti-detect browser with cloud profiles - real examples, numbers, and what actually works.
A deeper breakdown of Undetectable.io Review 2026 โ Unlimited local profiles with solid fingerprint masking - real examples, numbers, and what actually works.