June 9, 2026

Install drama just dropped

Article URL →HN comments →

Upcoming breaking changes for NPM v12

NPM’s new lockdown has coders cheering, roasting, and asking why the warning badge looks evil

TLDR: npm v12 will stop silently running extra code during installs unless users approve it, a major safety change aimed at reducing sneaky attacks. Commenters are split between “finally, about time” and “does this actually fix anything?”, with bonus mockery for GitHub’s weirdly ominous warning badge.

The big news: npm, the package manager that helps JavaScript apps pull in outside code, is about to get a whole lot stricter in version 12. Starting in 2026, installs will stop automatically running helper code from other people’s packages unless you explicitly approve it. It will also block grabbing code straight from Git or random web links unless you opt in. In plain English: npm is trying to stop the internet’s favorite bad habit — quietly running surprise code during setup.

But the real show is the comment section, where the mood swings from applause to side-eye in record time. One camp basically said, “Finally!” with one commenter noting this seems to address a vulnerability first reported 10 years ago, which is the kind of timeline that makes security people laugh and cry at the same time. Another person immediately hit the brakes: does this actually solve the problem, or does it just move the danger from “when you install it” to “when you first run it”? That hot take turned the whole thread into a classic tech-food fight over whether this is a fix or just a fancier warning label.

And yes, the jokes landed too. Someone was stunned that npm is owned by GitHub — “well, that explains things...” — while another got distracted by GitHub’s dramatic red RETIRED badge, asking why a preview needs to look like it’s announcing the apocalypse. The funniest suggestion? Add a default one-day waiting period so security scanners can catch suspicious packages first. In other words: npm tried to ship a serious safety update, and the community turned it into a mix of relief, distrust, and meme-worthy UI complaints.

Key Points

  • npm v12 is expected in July 2026 and introduces security-related breaking changes to npm install defaults.
  • In npm v12, allowScripts will default to off, blocking dependency install scripts unless explicitly approved.
  • Implicit node-gyp rebuilds and prepare scripts from git, file, and link dependencies are also blocked under the new script policy.
  • The --allow-git default will change to none, preventing Git dependency resolution unless explicitly allowed, and npm says this closes a code-execution path involving .npmrc.
  • The --allow-remote default will change to none for remote URL dependencies, and users can prepare now using warnings and approval tools in npm 11.x.

Hottest takes

"well, that explains things..." — aniceperson
"doesn't this just change the compromise window from first installation to first run?" — TZubiri
"this release fixes a vulnerability reported 10 years ago" — efortis

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.