GitHub Overhauls npm Security, Disabling Auto-Run Scripts by Default
GitHub is enhancing npm security by disabling automatic script execution during package installation, starting with npm 12 in July. This change addresses a major vulnerability exploited by malicious packages, aiming to prevent arbitrary code execution on developer machines and CI runners by requiring explicit user permission for scripts.
Key points
- GitHub will change npm's default behavior to prevent automatic script execution during package installation, a change slated for npm 12 in July.
- This aims to mitigate risks from malicious packages, which have exploited install-time scripts to execute arbitrary code on developer machines or CI runners.
- New defaults will require explicit permission via `allow-scripts` for preinstall, install, or postinstall scripts.
- The `--allow-git` flag and `allow-remote` functionality will also default to off, closing further attack vectors.
- While a breaking change, developers can allow scripts via package.json configuration, with GitHub recommending immediate review and adjustment.
GitHub is introducing significant security changes to its Node Package Manager (npm) platform, set to take effect with the release of npm 12 in July. The primary alteration involves disabling the automatic execution of scripts during the package installation process.
Historically, install-time lifecycle scripts have presented a substantial security risk, allowing a single compromised package to potentially execute arbitrary code. Maintainer Leo Balter highlighted that "install-time lifecycle scripts are the single largest code-execution surface in the npm ecosystem." The upcoming changes will require developers to explicitly permit these scripts using an allow-scripts configuration, thereby closing a common avenue for malicious actors.
Further enhancements include defaulting the --allow-git flag to off, preventing dependencies from being pulled from remote URLs without explicit authorization. Similarly, the allow-remote feature, which controls dependency downloads, will default to a more restrictive setting. These measures are designed to protect against vulnerabilities where malicious .npmrc files could be used to override system commands. While these changes are considered breaking, GitHub advises developers to proactively review their projects and configure script allowances to ensure a smooth transition and immediate protection.
Sources
The WireByte editorial team synthesises technology news from multiple primary sources, verifies the facts, and links every source. Articles are produced with AI assistance and reviewed under our editorial policy.