GitHub to Disable Auto-Running Scripts in npm by Default in Version 12
GitHub will change npm's default behavior so installation scripts no longer run automatically, a feature frequently exploited by malicious packages. The change, coming in npm 12 (July release), represents a major security shift that npm maintainer Leo Balter called the "single largest code-execution surface in the npm ecosystem." This aligns npm with other major package managers like pnpm, Yarn, and Bun, which already block auto-running scripts by default.
GitHub announced that npm version 12, due in July, will disable automatic execution of preinstall, install, and postinstall scripts unless explicitly permitted via an allowlist. The change addresses a significant security vulnerability where compromised packages anywhere in a dependency tree could execute arbitrary code on developer machines or CI runners. Three additional security defaults are also changing: the --allow-git flag will default to off, preventing malicious .npmrc files from overriding the Git executable, and allow-remote will default to none, blocking remote URL dependencies. These features have been available as opt-in settings since npm 11.10.0 (February), but will become defaults in version 12. Some packages—including those with native modules, testing tools like Playwright and Puppeteer, and Electron—require script approval to function properly. Developers can maintain an allowlist in package.json configuration, pinned to specific package versions.
What's missing
The article does not provide details on the timeline for developer migration or potential ecosystem impact metrics (e.g., how many packages currently rely on auto-running scripts). Additionally, while the article mentions the Shai-Hulud worm as a notable exploit, it provides no details about that specific incident or other documented attacks leveraging this vulnerability.
What different sources said
- The RegisterCenter
GitHub pulls pin on npm's auto-run scripts
Related
Potensic Atom 3 Drone Offers DJI Alternative for Global Markets, But Faces US Import Ban
Potensic has released the Atom 3, an upgraded beginner drone featuring a larger sensor, 4K 60fps video, improved battery life, and AI tracking capabilities at competitive pricing ($429.99-$549.99). The drone competes directly with DJI's Lito X1 but faces the same regulatory barriers as DJI in the US market due to a ban on foreign-made drones. The availability restrictions highlight ongoing US trade restrictions on Chinese drone manufacturers and limit consumer choice in the American market.
Wing and Walmart Expand Drone Delivery to Seven Additional U.S. Cities
Alphabet-owned Wing and Walmart are expanding their drone delivery partnership to seven new U.S. cities including Memphis, New Orleans, Philadelphia, Phoenix, San Diego, the San Francisco Bay Area, and Salt Lake City. The expansion is part of a plan to reach over 270 Walmart locations by next year, building on successful deployments in Atlanta, Dallas-Fort Worth, and Houston. The move signals that drone delivery is transitioning from a novelty service to a mainstream logistics option, with Wing having completed over 1 million commercial deliveries.
Anthropic CEO Calls for FAA-Style Regulation of Powerful AI Models
Anthropic CEO Dario Amodei published an essay calling for government regulation of powerful AI models, comparing the approach to FAA oversight of commercial aviation. The proposal includes mandatory third-party testing for frontier models and potential government authority to block or delay their deployment if they pose safety risks. The call comes as Anthropic released Claude Fable 5 and an updated Claude Mythos 5 model with advanced cybersecurity capabilities.