Security · 2h ago
npm 12 Disables Install Scripts by Default to Curb Supply Chain Attacks
GitHub released npm 12, disabling install scripts by default to reduce supply chain risks. The update also deprecates granular access tokens that bypassed two-factor authentication. Users must now opt-in to allow scripts, a shift from previous automatic execution.
Meridian48 take
This is a overdue hardening step for npm, but the real test will be how many developers actually opt-in versus how many workflows break.
Read the full reporting
npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk →
The Hacker News
npmsupply-chain-security