npm bulk trusted publishing config and script security now generally available

Two new features are available today in npm CLI v11.10.0+:

Bulk configuration for OIDC trusted publishing: Maintainers can now add or update trusted publishing configurations across multiple packages in a single operation using the npm trust command instead of configuring each package individually.
New --allow-git flag for npm install: Git dependencies—direct or transitive—can include .npmrc files that override the git executable path. This enables arbitrary code execution during install even when using --ignore-scripts. The new --allow-git flag gives you explicit control over this behavior.

The flag defaults to all for backward compatibility, but we highly encourage using --allow-git=none now and only reenabling it when git dependencies are truly necessary:

npm install --allow-git=none

npm install --allow-git=none

--allow-git=none is expected to become the default in npm CLI v12. See the npm install –allow-git documentation for details.

Join the discussion within GitHub Community.

JUN.9Release
Dependabot version updates now support the Deno ecosystem
- Supply Chain Security
JUN.9Retired
Upcoming breaking changes for npm v12
- Supply Chain Security
MAY.26Release
Dependabot version updates now support the sbt ecosystem
- Supply Chain Security
MAY.22Release
Staged publishing and new install-time controls for npm
- Supply Chain Security
MAY.19Retired
Upcoming deprecation of Python 3.9 for Dependabot
- Supply Chain Security
MAY.12Retired
Synchronous SBOM API deprecated
- Supply Chain Security
MAY.11Improvement
Cross-org Dependabot access for internal repositories
- Supply Chain Security
MAY.6Release
Search and filter bar for repository security advisories
- Supply Chain Security
MAY.5Release
Dependency scanning with GitHub MCP Server is in public preview
- Supply Chain Security

npm bulk trusted publishing config and script security now generally available

Related Posts

Subscribe to our developer newsletter