NPM v12 to Introduce Major Security Changes to Script Execution and Dependency Resolution
NPM announced that version 12, scheduled for July 2026, will change default behaviors to require explicit opt-in for running installation scripts and resolving Git and remote URL dependencies. These security-focused changes are currently available as warnings in NPM 11.16.0 and later, allowing developers to prepare their projects in advance. The changes aim to close code-execution vulnerabilities while giving developers control over which packages can run scripts during installation.
NPM's upcoming major version 12 will implement three significant security-related default changes to the npm install command. First, the allowScripts setting will default to off, preventing preinstall, install, and postinstall scripts from executing automatically unless explicitly approved—including native node-gyp builds. Second, Git dependencies will no longer resolve by default, closing a vulnerability where a dependency's .npmrc file could override the Git executable. Third, remote URL dependencies (such as HTTPS tarballs) will require explicit allowance via the --allow-remote flag. Developers can prepare by upgrading to NPM 11.16.0 or later, running their normal install process to observe warnings, and using the npm approve-scripts command to create an allowlist of trusted packages that will be committed to package.json.
What's missing
The articles do not discuss the potential impact on the broader npm ecosystem, such as how many popular packages rely on installation scripts or how this might affect CI/CD pipelines and automated deployment systems. Additionally, there is no discussion of community feedback or concerns about the usability implications of requiring explicit approvals for every package with scripts.
What different sources said
- Hacker NewsCenter
Upcoming breaking changes for NPM v12
Related
Blacksmith CI Service Charges $1,081 to User on Free Trial Without Credit Card on File
A developer team using Blacksmith, a GitHub Actions alternative, received a $1,081 invoice after exceeding free tier limits without having provided a credit card. The company's free trial continued accruing charges rather than stopping service, contrary to typical SaaS conventions. The incident raises questions about whether such billing practices are legally permissible and whether they align with user expectations.
Apple Testing Camera-Equipped AirPods for AI-Enhanced Siri, But Privacy Concerns May Delay Launch
Apple has designed AirPods with built-in cameras to give Siri visual context for user requests and is in late-stage testing with employees, according to Bloomberg reporting. The cameras would enable features like landmark-based navigation, food identification, and smarter contextual assistance, though they would not record photos or video like smart glasses. However, Wired reports Apple may delay the product due to insufficient AI capabilities and executive concerns about privacy risks without compelling use cases.
AI Companies Adopt Serif Fonts to Signal Trustworthiness and Human Touch
AI companies like Claude, Perplexity, and Runway are increasingly using serif fonts in their branding and user interfaces, a shift designers attribute to efforts to make artificial intelligence appear more human and trustworthy. Serif typefaces, historically associated with print media, books, and authority, contrast with the cleaner sans-serif fonts often perceived as computer-like and cold. The trend reflects broader public skepticism about AI and companies' attempts to build confidence in their products through design choices that evoke human craftsmanship and reliability.