Published release of the package manager NPM 12.0, included in the Node.js distribution and used to distribute modules in the language JavaScript. The new version is notable for stopping scripts from running by default during package installation. It is expected that the change will make it more difficult to carry out attacks through dependency compromise and slow down the spread of worms activated from installation scripts.
To prohibit auto-running of scripts specified in package.json through the preinstall, install or postinstall parameters, the allowScripts setting is set to “off” by default. The execution of such scripts, as well as the launch of compilation of C/C++ code by the node-gyp utility if there is a binding.gyp file in the package, is now performed only when receiving explicit instructions from the user. In addition, the “–allow-git” and “–allow-remote” parameters are now set to “none” by default, which disables automatic downloading of dependencies from Git repositories and via direct links to sites with tar archives.
To organize the launch of installation scripts, use the command “npm approve-scripts‘, which takes the names of trusted packages as arguments, or the “–all” option to grant permission to all packages. For dubious packages, it is recommended to run the command “npm approve-scripts –allow-scripts-pending”, which will display a list of scripts applying for execution. After checking these scripts, they can be approved with the “npm approve-scripts” command and added to the white list in package.json.
In addition, it has been announced that the use of GAT access tokens (Granular Access Tokens) configured to perform actions without two-factor authentication (2FA) in the NPM repository has been announced. Starting from August, such tokens, without additional manual confirmation of actions, will not allow you to perform such operations as creating or deleting tokens, changing a profile, password or email, setting up two-factor authentication, generating recovery codes, changing access rights and managing maintainers.
In January 2027, they intend to prohibit the direct publication of packages using tokens that bypass 2FA. In this case, packages can be published in the staging section, where they will remain until the release is manually