
Beyond disabling postinstalls: how npm install will change in npm 12
As part of its planned 12th release, the npm CLI drops automatically running lifecycle scripts on installs as part of multiple planned breaking changes
Last month, GitHub announced the planned breaking changes for npm 12 which are generally available to all users. These are direct responses to the multiple worm incidents that the npm ecosystem has been dealing with in recent months.
The npm team is now engaged on an ongoing conversation with the Node.js project to figure out which Node.js version will start shipping this new version of the npm CLI. Along with the multiple relevant breaking changes is the long-awaited change of posture regarding lifecycle scripts.
Security focus
Following the lead from other package manager clients, the npm CLI will no longer run install lifecycle scripts by default when installing dependencies - similar to the vlt client, pnpm, bun and others.
What are post-install lifecycle scripts?
When package managers are referring to post-install lifecycle scripts, they're referring to the family of scripts that, when defined in the package.json file of a package included in your dependency graph, are automatically run whenever the user runs npm install or npm ci in their project.
The following scripts are run by the npm CLI when present in a package.json file:
- preinstall
- install
- postinstall
- prepare
Here's a small example of what a package.json file with a lifecycle script looks like:
{
"name": "@vltpkg/my-lib",
"version": "1.0.0",
"scripts": {
"postinstall": "custom-build-step-command"
}
}Other notable breaking changes in npm 12 include:
- Requiring an --allow-git option to use Git repositories as dependencies.
- Usage of an --allow-remote option to use tarball URLs as a dependency.
In case you don't recognize right away what Git or tarball URLs are, below is a small example of a package.json using these types of dependencies:
{
"dependencies": {
"git-dependency": "github:my-org/my-lib#v1.2.3",
"tarball-dependency": "https://example.com/my-tarball.tgz"
}
}Node.js integration
In the last Node.js Release Working Group meeting, Jamie Magee was invited to present his ambitious plan to land npm 12 in current and LTS release lines from the lens of it being an essential security release. Jamie also highlighted efforts, such as reaching out to top package maintainers that are still relying on lifecycle scripts, noting that a majority of those are actually optional rather than required.
That said, a current look at the discussions happening in the planning issue makes it seem like npm 12 is likely to only land on node 27, which is scheduled to have its first alpha release in October 2026.
This is still a developing story, so whether you want to participate or keep an eye on it, definitely watch the spaces linked previously.
How this change can affect you
These changes may impact any project that has dependencies that rely on post-install scripts, including nested (or transitive) dependencies.
Starting in npm 12, you may need to opt into the legacy behavior for projects that still have packages using post-install scripts in their dependency graph. The GitHub announcement blog post also describes how to use the new npm approve-scripts and npm deny-scripts commands to manage a manual list of packages allowed to run post-install scripts.
Moving forward
At vlt, we recommend teams distributing system-dependent binaries to use an optional-dependencies-based strategy instead of post-install scripts – this is a model popularized by esbuild that uses optional dependencies to specify variations of a package to be used in the end-user system instead of relying on post-install script logic. Here's a guide on how to adopt that strategy.
It's also worth keeping an eye on the accepted RFC written by Darcy that aims to evolve that solution to a better-suited native format to handle multiple package distributions.
Other uses of post-install lifecycle hooks are now definitely discouraged, with the npm CLI no longer running these by default.
Keep an eye on these changes and stay safe!
a word from the vlt team:
If you're interested in checking out a secure registry that will go beyond client-side features to help you prevent worms & malware, while providing a faster install experience, check out our new platform at https://www.vlt.io.