GitHub To Disable npm Automatically Install Scripts To Stop Supply Chain Attacks
GitHub announced what it said were “breaking changes” coming to npm version 12, one of which disables automatic installation of documentation to combat software supply chain threats.
The changes aim to combat attack techniques that misuse the “npm install” command to trigger malicious code execution using npm lifecycle hooks. “Npm install” is used to download and install all the required dependencies of the Node.js project. Version 12 is scheduled to be released next month.
Describing the installation lifecycle documentation as “the single largest source of code execution in the npm ecosystem,” GitHub said the “npm install” command uses documentation from all dynamic dependencies, so a single vulnerable package anywhere in the dependency tree can run malicious code on a developer machine or CI runner.
By preventing such behavior, the idea is to require explicit user authorization before code execution is automatically started during “npm installation” instead of trusting it automatically. “Enabling script signing disables that option while keeping one command from the packages you trust,” GitHub said.
The changes are listed below –
- The npm installation will no longer use preinstall, install, or install scripts from dependencies unless they are explicitly allowed in the project.
- The npm installation will no longer resolve Git dependencies, direct or indirect, unless explicitly allowed with –allow-git.
- The npm installation will no longer resolve dependencies on remote URLs, such as https tarballs, unless explicitly allowed with -allow-remote.
“This includes the native build of node-gyp (that is, the package with binding.gyp and no explicit install script is still blocked, because npm uses its own implicit rebuild of node-gyp),” the Microsoft affiliate said about the changes to the “allowScripts” default behavior. “prepare scripts from git, file, and links to be blocked in the same way.”
By default “-allow-git” is “none,” the setting disables code execution where the .npmrc Git configuration file used may override Git’s executable, namely –ignore-scripts, a flag that prevents packages specified in package.json from automatically using the built-in lifecycle script.
GitHub recommends that developers prepare for these changes by upgrading to npm 11.16.0 or newer, using regular installs, and updating the displayed warnings.
“Use npm approve-scripts –allow-scripts-pending to see which packages have scripts, approve your trust, and generate an updated package.json,” it added. “After that, only scripts you’ve approved continue to run after you’ve upgraded. Anything you leave unchecked will stop.”
Earlier this year, npm also introduced “min-release-age,” a setting that tells npm to reject any version of a package published less than a specified number of days as a protection against newly published malicious packages.
