npm v12 will make install scripts and remote sources opt-in

npm v12 is expected to change npm install defaults in July 2026 so dependency lifecycle scripts, Git dependencies, and remote URL dependencies no longer run or resolve automatically. GitHub says the migration path is already visible in npm 11.16.0 or newer through warnings and the new npm approve-scripts workflow. For teams, this is a supply-chain hardening change that will also break installs when packages rely on postinstall downloads, native builds, or non-registry sources without an allowlist.

Key takeaways

• allowScripts will default to off in npm v12, so dependency preinstall, install, postinstall, and some prepare scripts need explicit approval.
• --allow-git will default to none, blocking Git dependencies unless a project or command opts in.
• --allow-remote will default to none, blocking remote URL dependencies such as HTTPS tarballs unless explicitly allowed.
• npm 11.16.0+ can show pending script approvals today, giving CI owners time to build and commit an allowlist before v12 lands.
• Packages that download binaries during postinstall, such as Cypress-style browser/runtime tooling, need documentation or a runtime-first install path.

Practical LinkLoot angle

This change is useful because it turns a hidden install-time code-execution surface into a reviewed project decision. The cost is migration friction. A dependency tree that installs cleanly today can fail later if a native package, test runner, browser automation tool, or Git dependency depends on install-time behavior.

Start with the projects that run in CI, production deploys, or shared developer machines. Upgrade a test branch to npm 11.16.0 or newer, run a normal install, list pending scripts, and commit only the approvals you understand. Do not wait for npm v12 if your build depends on packages that compile native modules or download large binaries during install.

What to verify before you act

Check the npm version in every CI image, local bootstrap script, and container base image. The warning phase is useful only if the same npm behavior is exercised where installs actually run.

Audit packages with native builds or binary downloads first. sharp, canvas, better-sqlite3, Playwright, Puppeteer, Electron, Cypress, and similar packages often need install scripts for legitimate reasons. Approval should be narrow enough to avoid blessing every future package that appears in the dependency graph.

Treat Git and remote URL dependencies as separate risk decisions. Even if a project has no lifecycle scripts, a Git dependency can still alter fetch and install behavior in ways normal registry packages do not. If a Git dependency is only used because a release was missing, push for a tagged package release instead.

Source check

GitHub's changelog confirms the planned npm v12 defaults, the July 2026 estimate, and the available npm 11.16.0 preparation path. npm's approve-scripts documentation confirms the command shape, allowScripts field, pending-review mode, and pinning behavior. The Cypress issue shows how a high-usage package with a postinstall binary step can be affected by the new defaults.

For related workflow hardening, see LinkLoot's guide to AI workflow automation and add this npm migration to your dependency-review checklist.