Tech Times reports that npm v12 will block dependency install scripts, Git dependencies, remote tarballs, and implicit node-gyp builds by default, turning install-time code execution in the open-source JavaScript ecosystem into a reviewable allowlist after Axios, Mastra, Miasma, and Shai-Hulud supply-chain attacks.
npm v12 Ships This Month, Blocking Install Scripts That Enabled Year of Supply Chain Attacks
Tech Times reports that npm v12 will block dependency install scripts, Git dependencies, remote tarballs, and implicit node-gyp builds by default, turning install-time code execution in the open-source JavaScript ecosystem into a reviewable allowlist after Axios, Mastra, Miasma, and Shai-Hulud supply-chain attacks.
Source: Techtimes