Upcoming breaking changes for npm v12

tuckwat 3 hours ago |

I bet there have been a hundred different discussions about this inside of NPM since it was disclosed 10 years ago. With Shai Halud it's gotten too big to ignore.

karakanb 4 hours ago |

It is not obvious from the post but it seems like the allow list for the scripts supports whitelisting packages instead of a global setting. This should make it easier to maintain org-wise rules to allow scripts only for specific packages.

Is there a linter that could be used for scenarios like this to prevent unsafe default on package manager config?

aniceperson 5 hours ago |

didn't know npm was owned by github.. well, that explains things...

shagie 5 hours ago | |

NPM Is Joining GitHub - https://news.ycombinator.com/item?id=22594549 (March 16, 2020; 571 comments; 1829 points) - https://github.blog/news-insights/company-news/npm-is-joinin...

Some of it aged... interesting.

Top comment:

> Microsoft doesn’t do everything right but the GitHub acquisition has honestly gone better than I ever expected. Rather than forcing GitHub to adopt Microsoft centric policies, Microsoft has adopted more GitHub stuff, especially from a product POV. GitHub still runs as a separate company (different logins and health care and hiring systems) with its own policies and point of view.

> ...

w29UiIm2Xz 4 hours ago | | |

To be fair, the vibes (at the time) were that Microsoft has changed. Probably, in some way, a zero-interest rate phenomena.

ok_dad 1 hour ago | | |

Young people thought M$ was changing, the old folks knew it was just another cycle of embrace, extend, extinguish.

shimman 3 hours ago | | |

MSFT acquisition of NPM was a massive shit show, they fired many staff engineers and people that were at github for quite a while. Top comment was a liar.

tomnipotent 1 hour ago | | |

> they fired many staff engineers

Would you rather the company went under after it ran out of money and had to fire everyone instead? Not to mention a quarter of the company was laid off the year before the acquisition.

shimman 58 minutes ago | | |

Uhh, I'd expect the trillion dollar transnational corporation to do right by it's workers rather than rat fucking them to appease corporate do-nothing leeches if I'm being frank.

ralph84 3 hours ago | |

NPM (the company) was about to go under in 2020. They raised VC but never found a sustainable business model. GitHub acquired them to keep the ecosystem alive. The acquisition hasn't really benefitted GitHub much at all.

materielle 3 hours ago | | |

I don’t know if this is the case here, but it’s very hard in general to judge how much software projects ought to cost.

Software projects will grow in complexity to consume whatever budget you give it. If you hire 50 devs and give them a bunch of business objectives, they are going to do what they do and write a ton of software.

It’s not obvious to me that it would be theoretically impossible to build a cheaper package manager.

monster_truck 2 hours ago | | |

And additionally was it truly worth buying if this is what we've ended up with? Some things should be allowed to fail

joeyhage 5 hours ago | |

Most people know this but the _real_ reason it explains things is that GitHub is owned by Microsoft. Oh, and Microsoft moved GitHub to Azure

amitport 20 minutes ago | | |

To be fair, NPM sucked long before it got acquired by Github/Microsoft.

And to be fair 2: The other package repos also suck.

BowBun 5 hours ago | |

yes, since 2020

thatmf 3 hours ago |

> allowScripts defaults to off

Nice that they're following pnpm's lead on this after [checks watch]... 18 months?

MrBuddyCasino 56 minutes ago | |

Java‘s Maven never had them, never felt a need for them.

What is their purpose in JS land?

tuananh 26 minutes ago | | |

native modules. nodejs can have native modules (written in C++, Rust, etc...). Projects usually ship prebuilt natives binaries (for each arch/OS/Nodejs ABI combination) hosted on GitHub Releases and download them automatically at installation time; fallback to build from source if not found. that's where scripts are used

the reason for not bundling all native binaries is becasue the no. of combinations are huge and it can make module size hundreds of MBs

dgoldstein0 49 minutes ago | | |

Off the top of my head the purposes I've seen for them: - building native bindings (node-sass) - asking for funding (core-js)

... Probably a few more but the native case is probably the biggest and the packages I'm using nowadays ship precompiled blobs in optionalDependencies. Install scripts seem to be out of favor.

efortis 5 hours ago |

this release fixes a vulnerability reported 10 years ago

https://www.kb.cert.org/vuls/id/319816

ares623 1 hour ago | |

Breaking: AI fixes 10 year old vulnerability!

beart 1 hour ago |

Does the allow list in package.json pin to the package version, or only to the package name?

ComputerGuru 4 hours ago |

My big question as an OSS dev distributing some precompiled binaries via npm for easy installation: does allowScripts also default to disabled when directly installing a package (globally or otherwise)?

thrdbndndn 2 hours ago |

How do you allow scripts for tools installed globally?

cookiengineer 47 minutes ago |

What a pointless change.

If you force every user to just use "--enable-unsecure-feature", guess what will happen?

This is not about improving security. This is about shifting blame.

A much better alternative would've been the introduction of sandboxes or simulation runs that would output which scripts and programs are running due to unpredictable dependencies. This way the user could check before the actual execution, and maintain an allow list much easier. That could be done via an npm update && npm upgrade workflow where the update generates the list that the user has to manually confirm.

Heck, even a chroot would be an improvement, and they're almost pointless these days, considering how good malware got at escaping chroots.

garbagepatch 1 minute ago | |

Most users don't need it. Having it on by default is a feature for malware writers not users.

But to your point, Node has had permission flags for a while[0] but allows everything by default. Npm could use them to increase security even more. I just hope it doesn't take them another 10 years to change the default.

[0] https://nodejs.org/api/permissions.html

woodruffw 19 minutes ago | |

I don't think it's pointless. A large number (the majority?) of users probably don't need install scripts, so disabling them by default is a net security improvement. Those that do can enable the insecure behavior, which will become an explicit decision that is trackable, auditable, etc.

You're not wrong about sandboxing, but sandboxing isn't something that can just be blithely introduced to a large packaging ecosystem that previously assumed full system access. Doing so results in the same kind of regression you point out: if the sandboxing breaks peoples' builds, they'll just disable it and move on with their goals.

cute_boi 5 hours ago |

They should have added a 1-day age limit by default, so security scanners have some time.

geophph 3 hours ago | |

The maintainer of pnpm mentioned this on the pod rocket podcast recently. Based on recent npm exploits they decided to (and based on a poll they did most users agreed) set to 1 day by default in v11. Can always choose to change it if you desire.

KolmogorovComp 4 hours ago | |

I don't think it'd necessarily be a good decision, sometimes CVE are actively exploited and need quick patching.

A better safety net would be to require active 2FA proof for every package update.

woodruffw 17 minutes ago | | |

I think you want both of these things. Realistically we're not at a point yet where all MFA credentials are phishing resistant.

therealmarv 3 hours ago | | |

As if supply chain attacks could have been prevented by 2fa or passkeys always.

You want delays by x days because supply chain attacks get caught very often within 1-2 days. And if you really really want to make an exception for a zero day then that's no problem and you can still quick patch by exclusion of that rule. They don't contradict in a unsolvable problem. You want both, you get both.

doctorpangloss 2 hours ago | | |

How do you know what's a zero day fix?

(You write something)

So then you have to check every package's updates and decide if you update, yes?

jnwatson 4 hours ago | | |

If you need a quick patch, you pass another parameter to turn off the 1 day. 1 day delay will prevent more problems than it makes.

alexdns 3 hours ago | | |

so this parameter can be passed by the attackers also thus making your point pointless

gbear605 3 hours ago | | |

The idea of the parameter is stopping the attackers from getting on your system in the first place

therealmarv 3 hours ago | | |

that parameter cannot be set by a package, you only can set it

Zopieux 4 hours ago |

Eh, that only took a few dozen actively exploited supply-chain vulns in the span of two years!

dawnerd 4 hours ago | |

Only took Microsoft themselves getting hit with it for things to change.

heldrida 4 hours ago |

> The resulting allowlist is written to package.json

Couldn’t this effectively result in the same process we get in pre-12 defaults?

CGamesPlay 1 hour ago | |

It's unstated, but I'm willing to assume that only the root package.json is consulted to decide if these scripts are allowed. Otherwise, yes, this would not actually change anything.

Pxtl 2 hours ago |

I would've assumed lockfile-by-default. We're still going with auto-updating?

jbreckmckye 2 hours ago | |

You do get a lockfile by default

TZubiri 5 hours ago |

Looks good? But doesn't this just change the compromise window from first installation to first run?

retardedsecguy 2 hours ago |

npm is basically pnpm now

cute_boi 1 hour ago | |

Except pnpm is written in Rust and is very fast, saves disk and has much more advantage.

themafia 3 hours ago |

The "aw geez, enough is enough" release.

Finally.

Tiberium 5 hours ago |

I hope GitHub changes their vibecoded badges, what does RETIRED even signify in this context? Why does the preview have to be in ominous red?

mort96 5 hours ago | |

Hahaha that's amazing, just a big red "RETIRED" badge above their blog post? What the hell

petetnt 4 hours ago | | |

Breaking changes have had that tag for ages

mort96 4 hours ago | | |

Really? Retired? What does that even mean in this context, why not "breaking" or something else that suggests breaking change?

behindsight 3 hours ago | | |

> Retired? What does that even mean in this context

"retired" is probably a followup to functionality that was "deprecated".

I agree "breaking" would be clearer

sheept 4 hours ago | |

The changelog design has been like that since last year,[0] which predates today's slop design of small caps and monospace text (probably because they both are based on the same design trend). A year ago, vibe coded websites leaned more on sans serif and gradient text.

[0]: https://github.blog/changelog/2025-05-05-improvements-to-cha...

SCLeo 2 hours ago |

I don't get it. How does this help with anything? You pull in a dependency to use it, right?

dlopes7 1 hour ago | |

Well pulling some code is different than running a script on your machine

zarzavat 2 hours ago |

There's an easy way to stop most supply chain attacks:

1. Publishing users must approve each and every release from a smartphone app.

2. Publishing users must provide verified government ID.

The first step prevents the types of attacks where an attacker gets control of a maintainer's computer and publishes a new release.

The second step discourages attacks where a user tries to get a malicious package used by others.

When combined with the security features that already exist, e.g. delays and automatic scanning, it would make it considerably harder to pull off a successful attack.