In response to a latest wave of provide chain assaults concentrating on the NPM ecosystem, GitHub introduced that scripts from dependencies will not be executed by default.
A number of main incidents that occurred over the previous a number of months, primarily related to TeamPCP and the Shai-Hulud self-replicating worm, have been abusing the default, computerized execution of scripts from dependencies throughout npm set up to contaminate 1000’s of builders with malware.
To higher shield customers, beginning with NPM model 12, which is anticipated to reach in July, script execution can be blocked by default, GitHub introduced.
“npm set up will not execute preinstall, set up, or postinstall scripts from dependencies except they’re explicitly allowed in your mission,” the code-sharing platform explains.
The change may even influence native node-gyp builds, comparable to packages which have a binding.gyp and no express set up script, in addition to put together scripts from git, file, and hyperlink dependencies. The latest Shai-Hulud Miasma assaults relied on a weaponized binding.gyp file.
To verify how the upcoming change will influence their initiatives, builders can run npm approve-scripts –allow-scripts-pending, and permit the packages they belief and block the remainder, to acquire an allowlist that’s written to package deal.json.
As soon as the JSON is dedicated, builders utilizing NPM model 11.16.0 or above will obtain warnings if their set up routine executes scripts.
Moreover, GitHub explains, Git dependencies (direct or transitive) will not be resolved at npm set up, except explicitly allowed.
“This closes a code-execution path the place a Git dependency’s .npmrc may override the Git executable, even with –ignore-scripts,” the platform notes.
Equally, dependencies from distant URLs will not be resolved in NPM model 12. This contains HTTPS tarballs (direct or transitive), however builders can permit them by way of the –allow-remote flag, which has been out there since model 11.15.0.
“Improve to NPM 11.16.0 or later, run your regular set up, and assessment the warnings. Use npm approve-scripts –allow-scripts-pending to see which packages have scripts, approve those you belief, and commit the up to date package deal.json. After that, solely the scripts you authorised preserve operating when you improve,” GitHub notes.
Associated: Over 5,500 GitHub Repositories Contaminated in ‘Megalodon’ Provide Chain Assault
Associated: Provide Chain Assault Hits 32 Purple Hat NPM Packages
Associated: GitHub Confirms Hack Impacting 3,800 Inner Repositories
Associated: Grafana Says Codebase and Different Knowledge Stolen by way of TanStack Provide Chain Assault
![How creators and entrepreneurs are utilizing AI to hurry up & succeed [data]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/Untitled20design-Apr-07-2023-08-24-35-4586-PM-120x86.png)
