npm v12 changes default behaviors in npm install to enhance supply-chain security by requiring explicit opt-in for actions that previously occurred automatically. Specifically, install scripts (preinstall, install, postinstall) will not run unless explicitly approved, including implicit node-gyp builds. Git dependencies will not be resolved unless allowed via the --allow-git flag, mitigating risks from malicious .npmrc overrides. Remote URL dependencies (e.g., https tarballs) will also require explicit permission via --allow-remote. These changes are designed to reduce attack surfaces related to code execution during dependency installation and improve overall supply-chain security posture. Preparatory warnings and tooling are available in npm 11.16.0 and later to help developers transition.

By disabling automatic execution of install scripts and restricting Git and remote URL dependencies, npm v12 reduces the risk of malicious code execution during package installation, a common vector for supply-chain attacks. This limits attackers' ability to exploit install-time scripts or override Git executables via .npmrc files. However, developers who depend on these features may experience installation failures or need to explicitly approve trusted scripts and dependencies, potentially impacting development workflows.

A fix is available in npm v12, which is planned for release in July 2026. Developers should upgrade to npm 11.16.0 or later to receive preparatory warnings and use the provided tools (npm approve-scripts, npm deny-scripts) to manage script execution permissions. Projects should explicitly approve trusted install scripts and dependencies and commit the resulting allowlist to package.json. For Git and remote URL dependencies, explicit flags (--allow-git, --allow-remote) must be used to permit their resolution. Following these steps will ensure compatibility with npm v12 and improve supply-chain security.