npm 11 vs 12: What's Different in 2026

Q: Which npm 12 breaking changes will actually affect me?

P0: allowScripts off — if you have any native dependencies (bcrypt, sharp, esbuild), your build fails. P1: Git deps blocked, shrinkwrap removal, npm view JSON format change. P2: remote URL deps, C API removal, Darknet/Caffe parsers.

Q: Is npm 12 faster than npm 11?

npm 12 is primarily a security release, not a performance release. Install speed should be similar to npm 11. Fewer things happen during install (scripts don't run, Git deps don't resolve), which can make installs faster as a side effect.

Q: Can I test npm 12 behavior without installing it?

Yes. Install npm 11.16.0+ and run npm install — it will show warnings previewing v12 behavior (which scripts would be blocked, which Git/remote deps would fail). No changes are enforced, but you can see exactly what will break.

npm 12 is a security overhaul, not a feature release. The core difference: npm 11 trusts packages by default; npm 12 doesn't. If your project has native modules, Git dependencies, or an old shrinkwrap file, upgrading will break your build — but the fixes are straightforward.

Side-by-Side Comparison

Feature	npm 11	npm 12
Dependency scripts	Run by default — any package can execute `postinstall`	Blocked by default — must approve per-package via `npm approve-scripts` NEW
Git dependencies	Allowed — `git+https://` resolves automatically	Blocked — requires `--allow-git` flag or `.npmrc` config
Remote URL deps	Allowed — `https://...tgz` resolves automatically	Blocked — requires `--allow-remote` flag or `.npmrc` config
shrinkwrap	Supported — `npm-shrinkwrap.json` loaded and honored	Removed — only `package-lock.json` works; shrinkwrap command gone
`npm view --json`	Returns single object for single version	Always returns array — scripts parsing single-object JSON will break
C++ compiler	C++11 minimum	C++17 required (affects native addon builds)
`npm star` / `stars` / `unstar`	Available	Removed — package favoriting feature deprecated
`npm adduser`	Available	Removed — use `npm login`; create accounts on npmjs.com
Man pages	Global registration	Not global — use `npm help` instead
SBOM CycloneDX	Reports directory name	Reports `package.json` name
Script allowlisting	No built-in mechanism	`npm approve-scripts` — per-package allowlist in `package.json` NEW
Darknet/Caffe support	Available	Gone — must convert models to ONNX first

Security: The Real Difference

npm 11 — Trust by Default (insecure)

For 12 years, a single compromised package with a postinstall script could exfiltrate environment variables, SSH keys, and .npmrc tokens from any machine running npm install. The Shai Halud supply-chain attack exploited exactly this vector. npm 11 still operates under this model — scripts execute unless you explicitly use --ignore-scripts.

npm 12 — Trust Nobody (secure by default)

npm 12 flips the model: zero scripts execute unless you explicitly approve each package. The npm approve-scripts workflow lets you audit what runs, approve trusted packages (sharp, esbuild, node-gyp), and deny the rest. The allowlist lives in package.json — commit it, audit it, own it.

Git and Remote Deps — Two Attack Vectors Closed

A Git dependency's .npmrc could override the Git executable path even with --ignore-scripts. Remote tarball URLs are unverifiable. npm 12 blocks both by default — these are not theoretical attack paths, they're explicitly cited in npm's security announcements.

Migration Difficulty: Head-to-Head

Scenario	npm 11 → 12 Effort	Key Action
Pure JS project (no native deps)	Minimal — 5 minutes	`npm install -g npm@12`
Project with native deps	Medium — 30 minutes	Run `npm approve-scripts --allow-scripts-pending`, approve trusted packages
Monorepo with Git deps	Medium — 1 hour	Add `allow-git=true` to `.npmrc`; audit all `package.json` files
Legacy project with shrinkwrap	Medium — 1 hour	Rename to `package-lock.json` or switch to `bundleDependencies`
CI/CD with custom `npm view` scripts	Medium — 1 hour	Update JSON parsing: single object → array

Decision Guide

Stay on npm 11 if...

You're in the middle of a critical release cycle — don't change package managers mid-sprint
You have unmaintained native dependencies with no alternatives — the allowScripts audit will surface them
Your CI infrastructure can't be updated to Node.js versions that will bundle npm 12 (but this is temporary)

Upgrade to npm 12 now if...

You maintain CI/CD pipelines — prepare before Node.js bundles v12 and breaks your builds
You ship software to security-conscious customers — "we use npm 12 default security" is a selling point
You want to audit your dependency scripts before an attacker does — npm approve-scripts --allow-scripts-pending works on npm 11.16.0+ too

Upgrade later (but prepare now) if...

Your project has Git dependencies in transitive packages — audit them first on npm 11.16.0+
You publish packages with npm-shrinkwrap.json — the bundleDependencies migration needs testing
You need to update CI scripts that parse npm view --json output — grep and fix before the upgrade

Timeline: When npm 12 Hits You

Milestone	Timeline	What It Means
npm 12 pre-release	June 9, 2026	Changelog published; warnings in npm 11.16.0+
npm 12 GA	Estimated July 2026	`npm install -g npm@12` available
Node.js 22.x bundles npm 12	~August-October 2026	First LTS line to ship v12 — CI starts breaking
Node.js 24.x bundles npm 12	~October-December 2026	Second LTS — adoption accelerates
npm 11 EOL	~2027	Security patches stop — must migrate

FAQ

Do I have to upgrade from npm 11 to 12?

Not immediately, but eventually yes. Once Node.js LTS lines bundle npm 12 (estimated late 2026), you'll get v12 automatically when you upgrade Node.js. You can pin npm 11 with npm install -g npm@11, but that's a short-term workaround, not a strategy. The smart move: prepare on npm 11.16.0+ now, migrate on your schedule, not Node's.

Which npm 12 breaking changes will actually affect me?

P0 (will break you): allowScripts off — if you have ANY native dependencies (bcrypt, sharp, esbuild, node-sass), your build fails. P1 (may break you): Git deps blocked if you use git+https:// deps; shrinkwrap removal if you publish CLI tools; npm view JSON format change if your CI parses it. P2 (unlikely): remote URL deps, C API removal, Darknet/Caffe parsers gone. Full breakdown →

Is npm 12 faster than npm 11?

npm 12 is primarily a security release, not a performance release. Install speed should be similar to npm 11. The main change is that fewer things happen during install (scripts don't run, Git deps don't resolve, remote URLs don't download), which can actually make installs faster in some cases — but that's a side effect, not the goal.

What about pnpm and Yarn? How do they compare?

Both pnpm and Yarn 4+ already have per-package script allowlisting — pnpm via pnpm.onlyBuiltDependencies, Yarn via similar supply-chain protections. npm 12 is catching up to the security posture pnpm and Yarn have had for years. If you're already on pnpm/Yarn, the npm 12 changes won't affect you directly, but transitive dependencies installed via npm will still need the new approvals.

Can I test npm 12 behavior without installing it?

Yes. Install npm 11.16.0+: npm install -g npm@11. Run npm install in your project — it will show warnings previewing v12 behavior (which scripts would be blocked, which Git/remote deps would fail). No changes are enforced, but you can see exactly what will break and fix it before v12 lands.

← Back to npm v12 Migration Guide