GitHub has officially released npm version 12, disabling install scripts by default in a move to curb software supply chain attacks. The Microsoft-owned subsidiary also deprecated granular access tokens (GATs) that could bypass two-factor authentication.
The default disable of `allowScripts` means scripts that previously ran automatically during npm install are now opt-in. This change targets a common vector for malicious packages that weaponize install-time code execution.
Attackers have long exploited install scripts to deploy malware, steal credentials, or install backdoors. By making scripts opt-in, npm 12 forces developers to explicitly review and approve any package that requires post-install actions.
Granular access tokens, which allowed users to bypass 2FA for specific registry operations, have been deprecated entirely. GitHub cited security concerns over token-based authentication that could circumvent stronger account protections.
No patches or workarounds are needed for existing users, but projects relying on install scripts must update their configurations to enable `allowScripts`. Organizations should audit their workflows to ensure compatibility with the new default behavior.