GitHub announces npm security changes to tackle supply-chain attacks

GitHub has announced that npm v12, expected next month, will introduce several security-focused changes aimed at blocking supply-chain attacks abusing behaviors triggered by the 'npm install' command.

'npm install' is the command used to download and install a project's dependencies and run any install-related scripts defined by the packages.

Developers execute it after cloning a project, pulling updates, or during CI/CD builds, and attackers target it because of the potential for automated code execution during package installation.

The main theme of the announcement is that code execution and non-registry dependency sources that currently trigger automatically during npm install will now require explicit approval instead of being trusted by default.

Specifically, GitHub announced the following changes: