Upcoming breaking changes for npm v12

Original Article ↗ Hacker News Discussion ↗

Ownership, Microsoft, and trust

  • Many commenters were surprised or unhappy that npm is owned by GitHub/Microsoft; others noted it’s been true since 2020 and npm “sucked” before.
  • Debate over whether Microsoft has really changed vs. repeating “embrace, extend, extinguish” patterns; some see GitHub/VS Code as pragmatic, others as lock-in and “open washing.”
  • Layoffs around the npm acquisition and later GitHub AI focus are cited as evidence of corporate priorities over ecosystem health.

Core npm v12 changes (allowScripts, postinstall)

  • Main change: install scripts (e.g., postinstall) are disabled by default and must be explicitly allowed (allowScripts in config/package.json).
  • This aligns npm more with pnpm and adds per-package whitelisting, including version-pinned allowlists.
  • Native module authors and people shipping binaries via npm asked how their workflows are affected; answers indicate all install scripts are off by default, but existing patterns (os/cpu/optionalDependencies) remain workable.

Security impact and remaining risks

  • Many see this as a big security win: it eliminates a common supply-chain vector, especially for frontend-only packages where code never runs server-side.
  • Skeptics argue malware can just move from install scripts into module runtime code, tests, or build tooling, so the attack surface is reduced but not removed.
  • Some note this fix addresses a vulnerability reported ~10 years ago and only landed after multiple high-profile exploits, including incidents affecting Microsoft itself.

Proposals for stronger defenses

  • Suggestions include:
    • Age delays (e.g., 1-day default) before new releases are installable.
    • Mandatory 2FA or stronger identity (government ID + smartphone approval) for publishers.
    • More Debian-like staged repos with human QA and paid corporate support.
    • Sandboxing, simulation runs, and better provenance/permissions (with Deno cited as a stronger model).

Ecosystem comparisons (pnpm, yarn, others)

  • Several commenters say npm is “basically pnpm now,” but pnpm is seen as faster and more space-efficient, with similar protections already enabled.
  • Yarn is reported to have comparable security and performance, plus features like Plug’n’Play; some teams migrated to pnpm due to ecosystem friction.
  • Deno and Node’s own permission system are discussed as more principled approaches to runtime isolation, though Node’s defaults are criticized.

Miscellaneous reactions

  • Mixed views on the change: from “finally” and “aw geez, enough is enough” to “pointless” and “just shifting blame.”
  • UI complaints about GitHub’s red “RETIRED” badge and confusing terminology.
  • General sentiment: better than nothing, very late, and only one step in a still-fragile JS supply chain.