The Hacker NewsFriday · July 10, 2026FREE

npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk

npmsupply-chainsecurityjavascript

npm 12, the latest version of the Node.js package manager, disables install scripts by default. This change is intended to reduce supply chain risk by preventing malicious packages from executing arbitrary code during the installation process. Previously, npm would run scripts defined in a package's `package.json` automatically. With npm 12, developers must explicitly enable scripts using the `--scripts-prepend-node-path` flag or by setting the `ignore-scripts` configuration option to `false`. The update addresses a common attack vector where compromised packages use install scripts to exfiltrate data or install malware. The npm team recommends that users upgrade to npm 12 to benefit from this security improvement. The change is part of a broader effort to harden the npm ecosystem against supply chain attacks.

// why it matters

Developers must update workflows to explicitly enable install scripts in npm 12.

Sources

Primary · The Hacker News
▸ Read original at thehackernews.com

Like this? Get the next digest.