GITHUB is set to release version 12 of its npm package manager, introducing three critical security changes aimed at preventing software supply chain attacks. These changes, effective from July 2026, will block certain installation scripts, prevent Git dependency resolutions from custom URLs, and restrict sourcing packages from external URLs unless explicitly allowed. Security experts endorse this shift, stating it creates stronger default protections.
However, some have raised concerns about potential friction for developers and suggest that attackers may pivot to targeting private repositories. The updates aim to enhance security while balancing usability.