Home / Companies / Socket / Blog / Post Details
Content Deep Dive

npm v12 Ships With Install Scripts Off by Default, Begins Deprecating 2FA-Bypass Tokens

Blog post from Socket

Post Details
Company
Date Published
Author
Sarah Gooding
Word Count
988
Company Posts That Month
6
Language
English
Hacker News Points
-
Post removed?
No
Summary

npm v12 introduces significant security enhancements by making install-time execution opt-in, aligning it with industry practices to mitigate supply chain attacks. This includes requiring explicit approval for preinstall, install, and postinstall scripts, effectively blocking potential attack vectors that exploited automatic script execution, such as those seen in the Miasma "Phantom Gyp" incidents. Additionally, the update begins phasing out 2FA-bypass granular access tokens, restricting their capabilities to enhance account security, and recommends transitioning to more secure publishing methods like trusted or staged publishing with human approval. Despite some initial resistance, a change that would have made unknown .npmrc keys result in errors was rolled back to ease the transition for teams, while unknown CLI flags continue to trigger errors. The npm team also plans to potentially backport v12 to Node 24 and 26, expanding its reach to more users. An ongoing community discussion addresses gaps in approval tooling, proposing enhancements to provide detailed insights into script actions, further strengthening npm's security posture.

Trends Found in this Post

No tracked trend matches for this post yet.

Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.