Home 零对冲(ZeroHedge)每日HackerNews

NPM v12 即将到来的重大变更
Upcoming breaking changes for npm v12

原始链接: https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/

计划于 2026 年 7 月发布的 npm v12 将对 `npm install` 引入重大的安全变更,默认禁用若干自动化行为。用户现在必须显式选择加入才能执行特定任务。 主要变更包括: * **`allowScripts` 默认关闭:** 依赖脚本(包括 `node-gyp` 构建和 `prepare` 脚本)将不再自动执行。 * **`--allow-git` 默认设为无:** Git 依赖将默认被拦截,以防止通过 `.npmrc` 进行未经授权的代码执行。 * **`--allow-remote` 默认设为无:** 来自远程 URL(如 tarball)的依赖将默认被拦截。 **如何准备:** 这些变更目前在 npm v11.16.0+ 中以警告形式提供。为做好准备,请升级至 v11.16.0+,运行安装程序并查看警告。使用 `npm approve-scripts` 显式信任你所需的软件包;你的选择将保存至 `package.json` 中,并应提交到你的代码仓库。立即采取这些步骤将确保 v12 发布时平稳过渡。详情请查阅 npm 官方文档。

Hacker News 社区正在讨论 npm v12 即将推出的重大变更,重点关注诸如默认禁用 `allowScripts` 等新的安全措施。尽管许多用户欢迎这种向更安全、“类 pnpm”配置的转变,但此次讨论也引发了关于供应链安全和包管理器作用的更广泛辩论。 讨论的主要观点包括: * **安全担忧:** 用户普遍赞赏默认禁用脚本的举措,但认为 npm 在这方面落后于 Deno 等竞争对手,后者具备更稳健的内置权限系统。 * **“NPM 体验”:** 参与者批评了 GitHub 更新日志的美学设计——特别是对“已退役”(RETIRED)徽章的混淆使用——并质疑 GitHub 收购 npm 后的长期影响。 * **供应链漏洞:** 一些评论者讨论了新默认设置的有效性,指出恶意代码仍然可以在运行时或通过构建工具执行。关于进一步加强安全性的建议包括:强制发布者进行双重身份验证(2FA)和政府身份验证,以及要求为脚本使用基于哈希的白名单。 总体而言,社区认为这些更新是降低长期存在的供应链风险所必需的“补齐”措施。
相关文章
原文

Our next npm major version, v12, introduces security-related default changes to npm install. All these changes are available behind warnings in npm today on 11.16.0 or newer, so you can prepare before the upgrade. v12 is estimated to release in July 2026.

Each change turns an npm install behavior that runs automatically today into one you explicitly opt into:

  • allowScripts defaults to off: npm install will no longer execute preinstall, install, or postinstall scripts from dependencies unless they are explicitly allowed in your project. This includes native node-gyp builds (i.e., a package with a binding.gyp and no explicit install script still gets blocked, because npm runs an implicit node-gyp rebuild for it). prepare scripts from git, file, and link dependencies are blocked the same way. To see what would be blocked, run npm approve-scripts --allow-scripts-pending. Then allow the packages you trust with npm approve-scripts and block the rest with npm deny-scripts. The resulting allowlist is written to package.json and should be committed. If your install routine runs scripts, you can observe warnings in npm 11.16.0+.

  • --allow-git defaults to none: npm install will no longer resolve Git dependencies (direct or transitive) unless explicitly allowed via --allow-git. This closes a code-execution path where a Git dependency’s .npmrc could override the Git executable, even with --ignore-scripts. This change was previously announced on 2026-02-18 and is available in npm 11.10.0+.

  • --allow-remote defaults to none: npm install will no longer resolve dependencies from remote URLs, such as https tarballs (direct or transitive), unless explicitly allowed via --allow-remote. This flag is available in npm 11.15.0+. The related --allow-file and --allow-directory flags are not changing their defaults in v12.

How to prepare

Upgrade to npm 11.16.0 or later, run your normal install, and review the warnings. Use npm approve-scripts --allow-scripts-pending to see which packages have scripts, approve the ones you trust, and commit the updated package.json. After that, only the scripts you approved keep running once you upgrade. Anything you leave unapproved will stop. More details are available in our docs at npm approve-scripts, npm deny-scripts, and allow-scripts config (for npx and global installs). Please share your comments and questions in our community discussion.

联系我们 contact @ memedata.com