{"id":229840,"date":"2026-06-11T02:23:00","date_gmt":"2026-06-11T06:23:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/11\/github-to-disable-npm-install-scripts-by-default-to-stop-supply-chain-attacks\/"},"modified":"2026-06-11T05:50:18","modified_gmt":"2026-06-11T09:50:18","slug":"github-to-disable-npm-install-scripts-by-default-to-stop-supply-chain-attacks","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/11\/github-to-disable-npm-install-scripts-by-default-to-stop-supply-chain-attacks\/","title":{"rendered":"GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/github-to-disable-npm-install-scripts.html\">GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/github-to-disable-npm-install-scripts.html\">https:\/\/thehackernews.com\/2026\/06\/github-to-disable-npm-install-scripts.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-11 02:23:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\n\ue804Ravie Lakshmanan\ue802Jun 11, 2026Developer Security \/ Software Supply Chain<br \/>\nGitHub has announced what it said are &#8220;breaking changes&#8221; coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats.<\/p>\n<p>The changes aim to combat attack techniques that abuse the &#8220;npm install&#8221; command to trigger the execution of malicious code using npm lifecycle hooks. &#8220;Npm install&#8221; is used to download and install all the necessary dependencies for a Node.js project. Version 12 is scheduled for release next month.<\/p>\n<p>Describing install-time lifecycle scripts as the &#8220;single largest code-execution surface in the npm ecosystem,&#8221; GitHub said the &#8220;npm install&#8221; command runs scripts from every transitive dependency, as a result of which a single compromised package anywhere in the dependency tree can run arbitrary code on a developer machine or CI runner.<\/p>\n<p>By blocking such behaviours, the idea is to require explicit user approval before code execution is initiated automatically during &#8220;npm install&#8221; as opposed to being trusted by default. &#8220;Making script execution opt-in closes that path while keeping it one command away for the packages you trust,&#8221; GitHub said.<\/p>\n<p>The changes are listed below &#8211;<\/p>\n<p>  npm install will no longer execute preinstall, install, or postinstall scripts from dependencies unless they are explicitly allowed in the project.<br \/>\n  npm install will no longer resolve Git dependencies, either direct or transitive, unless explicitly allowed via &#8211;allow-git.<br \/>\n  npm install will no longer resolve dependencies from remote URLs, such as https tarballs, unless explicitly allowed via &#8211;allow-remote.<\/p>\n<p>&#8220;This includes native node-gyp builds (i.e., a package with a binding.gyp and no explicit install script still gets blocked, because npm runs an implicit node-gyp rebuild for it),&#8221; the Microsoft-owned subsidiary said about changes to the default &#8220;allowScripts&#8221; behavior. &#8220;prepare scripts from git, file, and link dependencies are blocked the same way.&#8221;<\/p>\n<p>By defaulting &#8220;&#8211;allow-git&#8221; to &#8220;none,&#8221; the setting closes out a code execution path where a Git dependency&#8217;s .npmrc configuration file used could override the Git executable, even with &#8211;ignore-scripts, a flag that prevents packages specified in a package.json file from automatically running built-in lifecycle scripts during the installation process.<\/p>\n<p>GitHub recommends that developers prepare for these changes by upgrading to npm 11.16.0 or newer, running the normal install, and reviewing the warnings displayed.<\/p>\n<p>&#8220;Use npm approve-scripts &#8211;allow-scripts-pending to see which packages have scripts, approve the ones you trust, and commit the updated package.json,&#8221; it added. &#8220;After that, only the scripts you approved keep running once you upgrade. Anything you leave unapproved will stop.&#8221;<\/p>\n<p>Earlier this year, npm also introduced &#8220;min-release-age,&#8221; a setting that tells npm to reject any package version published less than a specified number of days as a safeguard against newly published malicious packages.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks https:\/\/thehackernews.com\/2026\/06\/github-to-disable-npm-install-scripts.html Publish&#8230;<\/p>\n","protected":false},"author":1,"featured_media":229841,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi_yyoUTLr71Ug2Ge0R7qFSnlGjB3TzlrQ-2NDR5jpPSBjivUSxhxRV1eCg5E6Af15RbJLZpqg9Ohp9ZW9YC9D2oc3VcHrNYQetavvvarn-Pn1P4VWnMw2C-hXbFgplFW9O8pe-zSP9ABGkkR-LM8hhu370dXMgeV-TGQT2p9N7hd7Friim3UkdK5FfyHHp\/s16000\/npm-github.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[],"class_list":["post-229840","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229840"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=229840"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229840\/revisions"}],"predecessor-version":[{"id":229842,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229840\/revisions\/229842"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/229841"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=229840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=229840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=229840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}