npm v12 to enforce stricter security defaults for package installation

npm v12 will change `allowScripts` to default to off, meaning install scripts from dependencies will not run automatically. This includes native node-gyp builds and prepare scripts from git, file, and link dependencies. Users can preview blocked scripts with `npm approve-scripts --allow-scripts-pending` and manage trust with `npm approve-scripts` and `npm deny-scripts`, committing the resulting allowlist to package.json.

The `--allow-git` flag will default to 'none' in npm v12, preventing automatic resolution of Git dependencies, both direct and transitive. This change closes a code-execution path where a Git dependency's `.npmrc` could override the Git executable. This functionality is available in npm 11.10.0+.

npm v12 will change `--allow-remote` to default to 'none', meaning dependencies from remote URLs like https tarballs will not be resolved unless explicitly allowed. This flag is available in npm 11.15.0+; `--allow-file` and `--allow-directory` defaults remain unchanged.

To prepare for npm v12, users should upgrade to npm 11.16.0 or later, run their usual installs to observe warnings, and use `npm approve-scripts --allow-scripts-pending` to identify and approve trusted package scripts. Approved scripts will continue to run post-upgrade, while unapproved ones will be blocked.