NPM 12 and install scripts

Starting with npm 12 (scheduled for July 2026), npm no longer runs dependency lifecycle scripts by default. This page explains what changes, who is affected, and what to do about it — both as an end user installing a binary addon and as an addon author using this helper.

What changes in npm 12

• preinstall / install / postinstall scripts of dependencies do not run unless the dependency is explicitly allowed.
• The implicit node-gyp rebuild for packages with a binding.gyp does not run either — so the classic build-from-source flow is gated the same way as the prebuilt download.
• prepare scripts of git / file / link dependencies are gated as well.

npm 11.16.0 (May 2026) introduced the same machinery in advisory mode: scripts still run, but an end-of-install summary names every package with unreviewed install scripts. npm 12 turns that into a hard block.

Why it matters for this project

install-from-cache runs as the consuming addon's install script. Under npm 12 defaults, a plain npm install <addon> fails with ESTRICTALLOWSCRIPTS before running anything — neither the prebuilt-artifact download nor the node-gyp fallback fires, and nothing is installed (the failure is atomic). Nothing in this helper can bypass the gate: it is a consumer-side security decision, the same one that hits every native addon (Playwright, Puppeteer, Electron, sharp, ...).

For end users: approving an addon

Approve the addon once per project — npm records the approval in the allowScripts field of your package.json. The simplest flow is to pre-approve before installing:

npm pkg set allowScripts.some-addon=true --json
npm install some-addon

or equivalently, add to your project's package.json by hand:

{
  "allowScripts": {
    "some-addon": true
  }
}

On npm 11.16+ (advisory mode, before npm 12) npm install some-addon still runs the scripts and just warns — there npm approve-scripts some-addon after the install silences the warning and future-proofs the project.

Under npm 12, recovering after the ESTRICTALLOWSCRIPTS failure takes an extra step, because npm approve-scripts only matches installed packages and the failed install left nothing behind:

npm install some-addon --ignore-scripts   # install with scripts skipped
npm approve-scripts some-addon            # record the approval
npm rebuild some-addon                    # run the addon's install script now

Useful details:

• Approvals are version-pinned by default — npm approve-scripts some-addon writes "some-addon@1.2.3": true, so a version update re-prompts. Use npm approve-scripts --no-allow-scripts-pin some-addon to approve all versions.
• npm approve-scripts --allow-scripts-pending lists the packages awaiting review without changing anything.
• npm deny-scripts some-addon records an explicit refusal — the install then succeeds with the addon's scripts silently skipped, and you get the missing-binary error at runtime.

For addon authors using this helper

• Document the approval step in your install instructions — a one-liner with npm approve-scripts <your-package> next to your npm install <your-package> line. A user who knows the command fixes the problem in seconds; a user who doesn't gets a cryptic missing-.node error at runtime.
• Consider the failure mode in your loading code: if your addon prints a helpful message when its binary is missing ("run npm approve-scripts <your-package> and npm rebuild <your-package>"), the npm-12 experience becomes self-explanatory.
• There is nothing to change on the helper's side — the gate fires before any script of your package runs. Watch npm for package-side metadata that could smooth approval (pnpm's onlyBuiltDependencies is the precedent); none exists yet.

Sources

• GitHub changelog: Upcoming breaking changes for npm v12
• npm docs: npm approve-scripts