Published July 8, 2026 ยท Added July 18, 2026

npm v12 Ships This Month, Blocking Install Scripts That Enabled Year of Supply Chain Attacks

Tech Times reports that npm v12 will block dependency install scripts, Git dependencies, remote tarballs, and implicit node-gyp builds by default, turning install-time code execution in the open-source JavaScript ecosystem into a reviewable allowlist after Axios, Mastra, Miasma, and Shai-Hulud supply-chain attacks.

Tech Times reports that npm v12 will block dependency install scripts, Git dependencies, remote tarballs, and implicit node-gyp builds by default, turning install-time code execution in the open-source JavaScript ecosystem into a reviewable allowlist after Axios, Mastra, Miasma, and Shai-Hulud supply-chain attacks.

Read the original story.

Source: Techtimes