github GitHub Changelog ·

npm v12 Introduces Install-Time Security Defaults and Deprecates 2FA-Bypass GATs

securitygadeprecationengineer
feature deprecation patch

npm v12 is now generally available, enforcing stricter install-time security defaults that require explicit opt-in for scripts, Git dependencies, and remote URLs. This release also begins deprecating granular access tokens (GATs) configured to bypass 2FA for sensitive account and package management actions. These changes aim to enhance security for all npm users, particularly those managing critical infrastructure. Users should review and approve trusted scripts and plan to migrate automated publishing workflows.

  • Deprecation of 2FA-Bypass GATs for Sensitive Actions
  • 2FA-Bypass GATs Will Lose Direct Publishing Capability
  • npm v12 is Generally Available
  • New Install-Time Security Defaults in npm v12
Deprecations (2)
  • Deprecation of 2FA-Bypass GATs for Sensitive Actions

    npm is deprecating the use of 2FA-bypass granular access tokens (GATs) for sensitive account, package, and organization management actions, including token creation/deletion and profile changes, starting early August 2026.

  • 2FA-Bypass GATs Will Lose Direct Publishing Capability

    Following the deprecation for management actions, 2FA-bypass tokens will also lose the ability to publish directly around January 2027. Publishing will require human 2FA approval or migration to trusted publishing (OIDC).

Enhancements (1)
  • New Install-Time Security Defaults in npm v12

    npm v12 turns on install-time security defaults, making previously automatic behaviors opt-in. This includes disallowing dependency lifecycle scripts, Git dependencies, and remote URL dependencies by default, requiring explicit user approval.

Notes (1)
  • npm v12 is Generally Available

    npm v12, tagged as latest, is now generally available. This release enforces previously announced install-time security defaults and begins deprecating certain uses of 2FA-bypass granular access tokens.

Read the original announcement →

https://github.blog/changelog/2026-07-08-npm-install-time-security-and-gat-bypass2fa-deprecation