Safer npm installation is on the way for Node.js (and all JavaScript)
JavaScript’s package manager, npm, has been in the news lately for allowing supply-chain risks. By default, npm trusts a module’s install scripts, running them automatically. In a recent compromise of Red Hat npm packages, attackers used malicious install scripts to spread a credential-stealing worm.
Some packages do need to run installation scripts. The odbc module, for example, uses node-gyp during installation to compile the driver. On IBM i and other platforms, that compile step may be necessary.
npm’s response
Starting with npm 11.16.0, npm will warn about install scripts that have not been explicitly approved. In npm 12, unapproved scripts are expected to be blocked by default.
If you try to install a package with install scripts under npm 11.6.0, you will receive a warning such as this:
|
1 2 3 4 |
npm warn allow-scripts 1 package has install scripts not yet covered by allowScripts: npm warn allow-scripts odbc@2.5.0 (install: node-gyp rebuild) npm warn allow-scripts npm warn allow-scripts Run `npm approve-scripts --allow-scripts-pending` to review, or `npm approve-scripts <pkg>` to allow. |
For legitimate packages that need install scripts, the fix is to run npm approve-scripts. For example:
|
1 |
npm approve-scripts odbc |
After approval, npm will remember that the package should be allowed to run its install script:
|
1 2 |
Approved odbc: added odbc@2.5.0 |
In our case, approving odbc is appropriate because its installation runs node-gyp, which is needed to compile the ODBC driver.
We suggest updating npm now and reviewing any warnings before npm 12 makes this behavior more strict.
To upgrade npm to the latest version:
|
1 2 |
npm install npm@latest -g |
Thank you to IBM’s Korinne Adler for alerting us to this change.
For more open source support and security help
Contact us for professional open source support and security guidance.

Leave a Reply
Want to join the discussion?Feel free to contribute!