Two new features are available today in npm CLI v11.10.0+:

  • Bulk configuration for OIDC trusted publishing: Maintainers can now add or update trusted publishing configurations across multiple packages in a single operation using the npm trust command instead of configuring each package individually.
  • New --allow-git flag for npm install: Git dependencies—direct or transitive—can include .npmrc files that override the git executable path. This enables arbitrary code execution during install even when using --ignore-scripts. The new --allow-git flag gives you explicit control over this behavior.

The flag defaults to all for backward compatibility, but we highly encourage using --allow-git=none now and only reenabling it when git dependencies are truly necessary:

npm install --allow-git=none

--allow-git=none is expected to become the default in npm CLI v12. See the npm install –allow-git documentation for details.

Join the discussion within GitHub Community.