GitHub has released npm version 12 with two notable security changes aimed at reducing supply chain risk in the JavaScript ecosystem: install scripts are now disabled by default, and granular access tokens (GATs) designed to circumvent two-factor authentication are being deprecated.

Install Scripts Now Opt-In

In previous versions of npm, lifecycle scripts bundled inside packages would execute automatically during installation. This behavior has long been a vector for malicious packages to run arbitrary code the moment a developer runs npm install. With npm 12, the allowScripts flag defaults to off, meaning packages can no longer silently execute scripts during installation without explicit developer approval. Projects that rely on install scripts will need to consciously opt in to restore the previous behavior.

This shift places the decision to run third-party code squarely in the hands of the developer, rather than allowing package authors to trigger execution implicitly. Security teams and DevOps pipelines that have not already audited install-time script usage should review their dependency trees before upgrading.

Granular Access Token Deprecation

GitHub is also deprecating granular access tokens that were capable of bypassing npm’s two-factor authentication requirements. GATs were intended to offer fine-grained permission control, but their ability to sidestep 2FA represented a weakening of account-level protections. Deprecating this class of tokens closes an authentication gap that could be exploited if a token were stolen or leaked.

Broader Supply Chain Context

Both changes reflect continued industry pressure to harden open-source package managers against supply chain attacks. Automatic install scripts and weakly authenticated publish tokens have each appeared in documented attack campaigns targeting the npm registry. By making safer behavior the default, npm 12 reduces the blast radius of a compromised or malicious package without requiring developers to take additional defensive steps proactively.

Organizations running automated build pipelines should test npm 12 compatibility, paying particular attention to packages that declare preinstall, install, or postinstall scripts, as those will no longer execute unless explicitly permitted.