npm v12 is now generally available and tagged latest. This major release turns on the install-time security defaults we announced in June, and it’s also where we begin a deprecation of the most sensitive uses of 2FA-bypass granular access tokens (GATs).

Install-time security defaults are now on

As of npm v12, the following npm install behaviors that used to run automatically are now opt-in:

  • allowScripts defaults to off: Dependency lifecycle scripts (i.e., preinstall, install, postinstall) and implicit node-gyp builds no longer run unless explicitly allowed.
  • --allow-git defaults to none: Git dependencies (direct or transitive) are no longer resolved unless explicitly allowed.
  • --allow-remote defaults to none: Dependencies from remote URLs (e.g., https tarballs) are no longer resolved unless explicitly allowed.

All of these were available behind warnings in npm 11.16.0+, so you can prepare before upgrading. To review and approve the scripts you trust, run npm approve-scripts --allow-scripts-pending, then commit the resulting allowlist in package.json.

For full details, migration steps, and the docs links, see Upcoming breaking changes for npm v12 and share questions in the npm v12 community discussion.

npm 2FA-bypass GAT will stop skipping 2FA for account changes

npm granular access tokens configured to bypass 2FA will be unable to perform sensitive account, package, and organization management actions once the change is rolled out. Operations for account management on npm will not be able skip 2FA anymore.

This affects operations such as:

  • Creating or deleting tokens
  • Generating recovery codes and changing your password, email, profile, or 2FA configuration
  • Changing package access, maintainers, or trusted publishing configuration
  • Managing organization and team membership as well as their package grants

We expect this change to take effect in early August 2026. To prepare, stop using 2FA-bypass tokens for these operations and perform them interactively with 2FA.

2FA-bypass tokens will no longer publish directly

Following the change above, 2FA-bypass tokens will also lose the ability to publish directly. Their publishing surface will be reduced to reading private packages and staging a publish, where a package only becomes public after a human 2FA approval.

We expect this change to take effect around January 2027. To prepare, plan to move automated publishing to trusted publishing (OIDC) or staged publishing with a human approval step, rather than a long-lived publish token.

More work is landing over the next few months to make migrating to trusted publishing and staged publishing easier. We’ll share migration guides in a follow-up community discussion.

Follow along and ask questions in the community discussion.