GitHub has officially released npm version 12, which disables installation scripts by default—a significant change aimed at reducing supply chain risk. Install scripts, which can execute arbitrary code during package installation to compile native modules or perform setup tasks, have historically run automatically, creating a persistent attack surface for malicious actors.
The update changes the default behavior of npm install by setting allowScripts to off. Scripts that previously ran automatically now require explicit opt-in approval from developers. This represents a philosophical shift from a "trust but verify" model to a "verify to execute" approach, aligning with broader industry security frameworks that prioritize platform-level safeguards over individual user vigilance.
For the Node.js ecosystem, this constitutes a notable platform intervention by GitHub, the Microsoft subsidiary that manages the npm registry. Rather than relying on developers to manually audit scripts after installation, the new default forces a deliberate decision before any post-install code can execute.
For developers and IT teams worldwide, including those in Hong Kong's tech community, this establishes a new operational baseline for secure package management. The change directly reduces the passive attack surface available to malicious actors targeting the software supply chain by eliminating untrusted code execution as a standard installation step.
Actions for Teams
Adapting to npm 12 requires workflow adjustments:
- Audit and Configure Dependencies: Teams should review project dependencies to identify which legitimately require install scripts for purposes like native module compilation. For these packages, developers must explicitly enable
allowScriptsin the project'spackage.jsonor npm configuration. - Test and Validate: Teams should test their projects after upgrading to ensure that any previously automatic scripts that are now disabled do not break critical functionality.
This change sets a precedent for secure-by-default configurations in package management, reflecting an industry trend toward shifting security responsibility from end users to platform-level controls.
GitHub 正式發布了 npm 第 12 版,該版本預設會禁用安裝腳本——這是一項旨在降低供應鏈風險的重大變更。安裝腳本在套件安裝過程中可執行任意代碼,用於編譯原生模組或執行設定任務,過去一直會自動運行,這為惡意行為者創造了持續存在的攻擊面。
此更新透過將 allowScripts 設定為關閉,改變了 npm install 的預設行為。以往會自動運行的腳本,現需開發者明確同意方可執行。這代表了從「信任但驗證」模式到「先驗證再執行」方針的理念轉變,符合更廣泛的業界安全框架,這些框架優先考慮平台級防護措施,而非個別用戶的警覺性。
對於 Node.js 生態系統而言,這是管理著 npm 註冊表的微軟子公司 GitHub 所進行的一次重要平台干預。新預設設定強制開發者在任何安裝後代碼執行前做出審慎決定,而非依賴他們在安裝後手動審查腳本。
對於全球開發者及 IT 團隊,包括香港科技社群成員而言,這為安全的套件管理確立了新的運作基準。此變更透過將不受信任的代碼執行從標準安裝步驟中移除,直接減少了針對軟件供應鏈的惡意行為者所能利用的被動攻擊面。
團隊應採取的行動
適應 npm 12 需要調整工作流程:
- 審查並配置依賴項: 團隊應審查項目依賴項,以識別哪些確實需要安裝腳本(例如用於編譯原生模組)。對於這些套件,開發者必須在項目的
package.json或 npm 配置中明確啟用allowScripts。 - 測試與驗證: 團隊應在升級後測試其項目,以確保任何原先自動運行、現已被禁用的腳本不會破壞關鍵功能。
此項變更為套件管理中的「安全為先」預設配置樹立了先例,反映了一種將安全責任從最終用戶轉移到平台級控制的業界趨勢。
