npm v12 is now generally available and tagged latest. This major release turns on the install-time security defaults we announced in June, and it’s also where we begin a deprecation of the most sensitive uses of 2FA-bypass granular access tokens (GATs).

Install-time security defaults are now on

As of npm v12, the following npm install behaviors that used to run automatically are now opt-in:

allowScripts defaults to off: Dependency lifecycle scripts (i.e., preinstall, install, postinstall) and implicit node-gyp builds no longer run unless explicitly allowed.

--allow-git defaults to none: Git dependencies (direct or transitive) are no longer resolved unless explicitly allowed.