npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk
Summary
GitHub has released npm version 12, which now disables install scripts by default to mitigate supply chain risks. This change makes previously automatic script execution an opt-in feature, enhancing security for developers.
IFF Assessment
FRIEND
This change directly addresses supply chain risks in the software development process, which is beneficial for defenders by reducing the potential for malicious code execution during package installations.
Defender Context
This update represents a significant step in reducing software supply chain risks, a persistent threat for defenders. Developers should be aware of this change and proactively manage their dependencies, ensuring that any necessary install scripts are intentionally enabled to avoid unexpected behavior.