**GitHub** has announced a major security overhaul for **npm v12**, slated for release next month. These changes are specifically designed to counter supply-chain attacks that leverage behaviors triggered by the ubiquitous `'npm install'` command. `'npm install'` is the command responsible for downloading and installing a project's dependencies and executing any associated installation scripts. Developers frequently use it after cloning projects, pulling updates, or during CI/CD build processes. Attackers have long targeted this command due to its potential for automated code execution during package installation. The core principle behind this update is a shift from implicit trust to explicit approval for code execution and non-registry dependency sources during `npm install` operations. **GitHub** detailed the following key changes in their announcement: 1. **Script Execution Restrictions**: Starting with **npm v12**, `preinstall`, `install`, and `postinstall` scripts from dependencies will no longer run automatically unless explicitly approved. This restriction also extends to native module builds initiated via **node-gyp** and `prepare` scripts from Git, local file, and linked dependencies. 2. **Git Dependency Resolution**: `npm install` will cease to automatically fetch dependencies from Git repositories, whether direct or transitive, without explicit permission. **GitHub** notes this closes a critical code execution path where a Git dependency's `.npmrc` file could be manipulated to alter the Git executable used, even if install scripts were disabled. 3. **Remote URL Dependency Resolution**: Dependencies installed from remote URLs, such as HTTPS tarballs, will no longer be resolved automatically. This applies to both direct and transitive dependencies. These modifications are expected to significantly mitigate supply-chain risks by eliminating the automatic execution of dependency installation scripts, the automatic resolution of Git-based dependencies, and the automatic resolution of remote URL dependencies. Such new defaults would have prevented several recent supply-chain attacks, including malicious `preinstall`/`postinstall` script campaigns targeting **eslint-config-prettier**, **Toptal's Picasso packages**, and numerous data-stealing **npm** packages. They would also have countered Git dependency abuse as documented in **Shai-Hulud** attacks. Projects that legitimately rely on any of these behaviors will need to explicitly opt-in before upgrading to **npm v12**. **GitHub** advises developers to prepare by upgrading to **npm 11.16.0** or newer. This version will display warnings for all actions that will be impacted by **v12**, allowing developers to identify and address dependencies or workflows requiring explicit approval before making the full upgrade. Once upgraded to **npm v12**, only explicitly approved scripts and dependency sources will function automatically. A [community discussion](https://github.com/orgs/community/discussions/198547) has been initiated for developers to provide feedback and suggestions on these upcoming changes.