GitHub has announced that npm v12, expected next month, will introduce several security-focused changes aimed at blocking supply-chain attacks abusing behaviors triggered by the ‘npm install’ command.
‘npm install’ is the command used to download and install a project’s dependencies and run any install-related scripts defined by the packages.
Developers execute it after cloning a project, pulling updates, or during CI/CD builds, and attackers target it because of the potential for automated code execution during package installation.
The main theme of the announcement is that code execution and non-registry dependency sources that currently trigger automatically during npm install will now require explicit approval instead of being trusted by default.
Specifically, GitHub announced the following changes:
- Starting in version 12, npm install will not run preinstall, install, or postinstall scripts from dependencies unless they have been explicitly approved. This also applies to native module builds triggered through node-gyp, and prepare scripts from Git, local file, and linked dependencies.
- npm install will no longer fetch dependencies from Git repositories, whether direct or transitive, unless explicitly permitted. GitHub says this removes a code execution path where a Git dependency’s .npmrc file could alter which Git executable is used, even when install scripts are disabled.
- Dependencies installed from remote URLs, such as HTTPS tarballs, will no longer be resolved unless explicitly permitted. This applies to both direct and transitive dependencies.
These changes can significantly reduce supply-chain attacks by removing the automatic execution of dependency installation scripts, the automatic resolution of Git-based dependencies, and the automatic resolution of remote URL dependencies.
The new defaults could have disrupted several attack techniques used in recent supply-chain attacks.
This includes malicious preinstall/postinstall script campaigns targeting eslint-config-prettier, Toptal’s Picasso packages, dozens of data-stealing npm packages, as well as Git dependency abuse documented in Shai-Hulud attacks.
Projects that rely on any of these behaviors for legitimate workflows will need to explicitly opt in before upgrading to npm v12.
GitHub recommends that developers prepare by upgrading to npm 11.16.0 or newer, which displays warnings on all actions that will break under version 12.
This allows developers running their normal install routines to review these warnings and identify dependencies or workflows that will require explicit approval before upgrading.
After upgrading to version 12, only explicitly approved scripts and dependency sources will continue functioning automatically.
A community discussion has been opened for developers to share their suggestions on the upcoming changes.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
