GitHub to disable automatic npm install scripts by default
🔒 GitHub will change npm v12 defaults in July to block automatic execution of dependency install scripts unless a project explicitly allows them. The change prevents preinstall, install and postinstall scripts — including implicit node-gyp rebuilds — from running by default, narrowing a common supply chain attack vector. Experts generally praised the move as overdue but warned it only reduces, not eliminates, supply chain risk and will push attackers to other methods.
