GITHUB has announced significant changes to the NPM ecosystem in response to a rise in supply chain attacks. Starting with NPM version 12 in July, scripts from dependencies will not execute by default when running '_npm install_'. This decision is aimed at protecting developers from malware exploits that have recently targeted the automatic execution feature during package installations.
Developers can manage their project dependencies by using the '_npm approve-scripts --allow-scripts-pending_' command to create an allowlist of trusted packages. Furthermore, Git and remote URL dependencies will require explicit permissions for installation, mitigating risks associated with compromised scripts. This measure follows a series of supply chain attacks that exploited the previous execution defaults.