JH← Back to blog

npm v12 Disables Install Scripts by Default — Here's Your Upgrade Checklist

npm v12 stops running install scripts automatically and blocks git/remote dependencies by default. Paired with a CVSS 9.2 flaw in AdonisJS, here's what to audit before you upgrade.


Starting this month, npm v12 makes one of the most consequential default-security changes in the package manager's history: install scripts no longer run automatically, and dependencies can no longer be pulled directly from Git repositories or remote URLs without explicit configuration. If you maintain JavaScript or Node.js projects, expect this to break some builds and require configuration updates — and for teams that take supply chain security seriously, it's a genuine win.

The timing isn't coincidental. It lands alongside CVE-2026-21440, a critical path traversal vulnerability in @adonisjs/bodyparser, a live example of exactly the risk category this change is designed to reduce.

Why this had to happen

The JavaScript ecosystem has absorbed years of high-profile supply chain incidents involving compromised or maliciously published packages that used install-time hooks and typosquatted names to distribute malware or steal credentials — often executing before a developer reviewed a single line of source. npm v12 is the ecosystem-level response to that recurring failure mode.

What actually changed

Packages have long been able to define preinstall, install, and postinstall lifecycle scripts that run automatically the moment a package installs — useful for legitimate build steps like native module compilation, but also a long-standing, frequently abused attack vector. With v12, install scripts no longer run by default; developers who need one to run now have to explicitly allow it, per package. npm also no longer resolves dependencies directly from Git repos or arbitrary remote URLs without explicit configuration — closing off another technique attackers have used to smuggle code into dependency trees outside the registry's normal vetting.

The AdonisJS case study

CVE-2026-21440, a CVSS 9.2 path traversal flaw in @adonisjs/bodyparser, affects the multipart file handling used by AdonisJS apps — serious on its own, since it can let attackers write files outside the intended upload directory. But the bigger lesson is how fast a bug in one popular package propagates through the dependency trees of every app built on that framework, and how much implicit trust developers place in packages just because they're popular. npm v12 doesn't prevent bugs like this from existing, but it does shrink the blast radius of the more dangerous adjacent problem: a compromised package running arbitrary code at install time, before anyone's looked at what it does.

Before you upgrade

  1. Audit your dependency tree for packages relying on install scripts — native modules (image processing, crypto, DB drivers) are the most common legitimate case. Find these before upgrading so builds don't silently break.
  2. Update CI/CD pipelines to explicitly allow install scripts only where genuinely needed, documented per exception — not blanket-allowed.
  3. Replace any Git or remote URL dependencies with registry-published versions where possible; treat what remains as higher-risk.
  4. Patch @adonisjs/bodyparser immediately if you run AdonisJS — CVE-2026-21440 warrants same-week remediation regardless of your npm v12 timeline.
  5. Review your SBOM tooling if you lack visibility into which dependencies use install scripts or non-registry sources.
  6. Communicate the change to your engineering org now — silent build breaks are exactly what pushes teams toward a blanket workaround that undoes the security benefit.

Why this matters more than it looks

Package manager defaults rarely make front-page news, but they quietly set the baseline security posture for a huge share of the software industry, precisely because most developers never override them. Shifting from "run install scripts automatically" to "opt in explicitly" changes the posture of millions of projects without requiring each developer to make an active, informed security decision — which is how ecosystem-wide security improvements actually happen. Audit your dependency tree now, patch AdonisJS if it's in your stack, and plan your v12 upgrade path before it becomes an emergency migration instead of a planned one.