npm install-time security and GAT bypass2fa deprecation
npm v12 is now generally available and tagged latest. This major release turns on the install-time security defaults we announced in June, and it’s also where we begin a deprecation of the most sensitive uses of 2FA-bypass granular access tokens (GATs).
Install-time security defaults are now on
As of npm v12, the following npm install behaviors that used to run automatically are now opt-in:
allowScriptsdefaults to off: Dependency lifecycle scripts (i.e.,preinstall,install,postinstall) and implicitnode-gypbuilds no longer run unless explicitly allowed.--allow-gitdefaults tonone: Git dependencies (direct or transitive) are no longer resolved unless explicitly allowed.--allow-remotedefaults tonone: Dependencies from remote URLs (e.g., https tarballs) are no longer resolved unless explicitly allowed.
All of these were available behind warnings in npm 11.16.0+, so you can prepare before upgrading. To review and approve the scripts you trust, run npm approve-scripts --allow-scripts-pending, then commit the resulting allowlist in package.json.
For full details, migration steps, and the docs links, see Upcoming breaking changes for npm v12 and share questions in the npm v12 community discussion.
npm 2FA-bypass GAT will stop skipping 2FA for account changes
npm granular access tokens configured to bypass 2FA will be unable to perform sensitive account, package, and organization management actions once the change is rolled out. Operations for account management on npm will not be able skip 2FA anymore.
This affects operations such as:
- Creating or deleting tokens
- Generating recovery codes and changing your password, email, profile, or 2FA configuration
- Changing package access, maintainers, or trusted publishing configuration
- Managing organization and team membership as well as their package grants
We expect this change to take effect in early August 2026. To prepare, stop using 2FA-bypass tokens for these operations and perform them interactively with 2FA.
2FA-bypass tokens will no longer publish directly
Following the change above, 2FA-bypass tokens will also lose the ability to publish directly. Their publishing surface will be reduced to reading private packages and staging a publish, where a package only becomes public after a human 2FA approval.
We expect this change to take effect around January 2027. To prepare, plan to move automated publishing to trusted publishing (OIDC) or staged publishing with a human approval step, rather than a long-lived publish token.
More work is landing over the next few months to make migrating to trusted publishing and staged publishing easier. We’ll share migration guides in a follow-up community discussion.
Follow along and ask questions in the community discussion.