Cloud & DevOpsJavaScriptSecurity

npm v12 Ships in July: Prepare Your CI/CD Now

24 views0
npm v12 breaking changes: install scripts disabled, git and remote dependencies blocked for supply chain security
ByteBotBy
Share

npm v12 lands in July with three default changes that will silently break installs you haven’t audited. The good news: npm 11.16.0 is already warning you — if you’re paying attention. The bad news: most CI pipelines are not.

The Three Changes That Will Break Your Builds

npm v12 makes three behaviors that were previously automatic into explicit opt-ins. None of these are surprises. All three are responses to 2025 being the worst year on record for npm supply chain attacks, with 454,600 new malicious packages published — a 75% jump year-over-year.

1. Install Scripts Are Off by Default

preinstall, install, and postinstall scripts from dependencies no longer run unless you have explicitly approved them. This includes the implicit node-gyp rebuild that native modules depend on.

The packages most likely to break without intervention: sharp, bcrypt, better-sqlite3, and canvas (all require native compilation), plus Playwright, Cypress, and Electron (all download binaries in postinstall). Your install may report success while silently shipping a broken package. That is the trap.

2. Git Dependencies Require --allow-git

If your package.json resolves any dependency from a GitHub or GitLab URL — github:owner/repo, git+https://, or any shorthand — those will fail to resolve. Direct and transitive dependencies are both affected. This closes a specific attack path where a git dependency’s .npmrc could override the Git executable, bypassing --ignore-scripts entirely.

3. Remote URL Dependencies Require --allow-remote

Dependencies resolved from HTTPS tarballs rather than a registry are blocked. Check your lockfile: any resolved entry pointing outside registry.npmjs.org or your private registry will need explicit approval.

Prepare Now: Four Steps Before July

The npm team’s recommended approach is to approve broadly first, tighten later. Do not try to audit every script before migrating — that path leads to analysis paralysis right before a deadline.

# Step 1: Upgrade npm and see what's already warning
npm install -g npm@latest

# Step 2: Preview what will be blocked
npm approve-scripts --allow-scripts-pending

# Step 3: Approve everything currently in your tree
npm install && npm approve-scripts --all

# Step 4: Commit the allowlist
git add package.json && git commit -m "chore: add npm v12 allowScripts allowlist"

For git and remote dependencies, add the relevant flags to your .npmrc for affected projects:

allow-git=all
allow-remote=all

Then audit and tighten before the v12 GA date — remove any sources you do not actually need. See the full GitHub community migration discussion for edge cases around native modules and monorepo setups.

The CI/CD Trap: Silent Failures Are More Dangerous Than Hard Errors

Here is the counterintuitive part: by default, npm v12 does not hard-fail when a script is unapproved. It skips the script with a warning and lets the install complete. That is by design — it avoids the chicken-and-egg problem of approving a package before it is installed.

But in CI, a silent skip is worse than a loud crash. Playwright installs but has no browser. sharp installs but cannot process images. Your pipeline turns green, your tests start failing, and you spend an afternoon bisecting a dependency change from two weeks ago.

The fix: enable strict mode in CI only.

# In your CI environment only — fails loudly on unapproved scripts
npm install --strict-allow-scripts

Keep the softer default on developer machines to avoid workflow friction during the migration window. This asymmetric approach — strict in CI, soft locally — is the pattern the npm team recommends.

Why npm Did This Now

Install scripts have always been the npm ecosystem’s most abused attack surface. The axios compromise in March 2026 — where a North Korean threat actor took over one maintainer account and delivered a remote access trojan to a package with 100 million weekly downloads for three hours — removed whatever remained of the “this probably won’t affect us” argument. Before that, the Shai-Hulud worm in September 2025 demonstrated self-propagating npm malware for the first time, hitting nearly 500 packages with a combined 2.6 billion weekly downloads.

The pattern is the same every time: compromised account, malicious postinstall, arbitrary code execution at the exact moment developers are least suspicious — during a routine npm install.

npm v12 does not close every attack path. It does not stop malicious code that runs at import time. It does not prevent a trusted maintainer account from being compromised. But it removes the trivial install-time execution vector that has been the entry point in the majority of real-world attacks. That is a meaningful step, and the July deadline is real.

Start your migration now on npm 11.16.0. The warnings are already there — read them.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous
    Next

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:Cloud & DevOps