GitHub is overhauling npm with version 12, flipping three long-standing permissive defaults to fight software supply chain attacks. Starting July 2026, npm will block install scripts, Git dependencies, and remote URL packages by default — all requiring explicit developer opt-in. Developers can preview the changes now by upgrading to npm v11.16.0.
Security experts are cautiously supportive. Semgrep's Isaac Evans praised the structural approach but warned attackers will pivot to private repositories like Artifactory. Researcher Paul McCarty fears developers will blindly approve blocked scripts just to get builds working — potentially turning the update into security theatre.
Source: Infosecurity Magazine