Skip to content

GitHub Unveils npm v12 Security Enhancements to Combat Supply-Chain Attacks

GitHub has announced that npm v12, expected next month, will introduce several security-focused changes aimed at blocking supply-chain attacks abusing behaviors triggered by the ‘npm install’ command.

The main theme of the announcement is that code execution and non-registry dependency sources that currently trigger automatically during npm install will now require explicit approval instead of being trusted by default. Specifically, GitHub announced the following changes:

* Starting in version 12, npm install will not run preinstall, install, or postinstall scripts from dependencies unless they have been explicitly approved. This also applies to native module builds triggered through node-gyp, and prepare scripts from Git, local file, and linked dependencies.

* npm install will no longer fetch dependencies from Git repositories, whether direct or transitive, unless explicitly permitted. GitHub says this removes a code execution path where a Git dependency’s .npmrc file could alter which Git executable is used, even when install scripts are disabled.

* Dependencies installed from remote URLs, such as HTTPS tarballs, will no longer be resolved unless explicitly permitted. This applies to both direct and transitive dependencies.

These changes can significantly reduce supply-chain attacks by removing the automatic execution of dependency installation scripts, the automatic resolution of Git-based dependencies, and the automatic resolution of remote URL dependencies.

The new defaults could have disrupted several attack techniques used in recent supply-chain attacks. This includes malicious preinstall/postinstall script campaigns targeting eslint-config-prettier, Toptal’s Picasso packages, dozens of data-stealing npm packages, as well as Git dependency abuse documented in Shai-Hulud attacks.

Projects that rely on any of these behaviors for legitimate workflows will need to explicitly opt in before upgrading to npm v12. GitHub recommends that developers prepare by upgrading to npm 11.16.0 or newer, which displays warnings on all actions that will break under version 12. This allows developers running their normal install routines to review these warnings and identify dependencies or workflows that will require explicit approval before upgrading.

After upgrading to version 12, only explicitly approved scripts and dependency sources will continue functioning automatically. A community discussion has been opened for developers to share their suggestions on the upcoming changes.

**Security Implications:**

The new security enhancements in npm v12 are expected to significantly reduce supply-chain attacks by removing the automatic execution of dependency installation scripts, the automatic resolution of Git-based dependencies, and the automatic resolution of remote URL dependencies. This will require developers to explicitly approve scripts and dependency sources before they can function automatically.

**Recommendations:**

GitHub recommends that developers prepare for the upcoming changes by upgrading to npm 11.16.0 or newer, which displays warnings on all actions that will break under version 12. Developers should review these warnings and identify dependencies or workflows that will require explicit approval before upgrading to version 12.

**Conclusion:**

The new security enhancements in npm v12 are a significant step towards preventing supply-chain attacks. By requiring explicit approval for scripts and dependency sources, developers can ensure that their projects are secure and protected from potential threats.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *