Skip to content

NPM 12 and install scripts

Jump to bottom
Eugene Lazutkin edited this page Jun 11, 2026 · 3 revisions

Starting with npm 12 (scheduled for July 2026), npm no longer runs dependency lifecycle scripts by default. This page explains what changes, who is affected, and what to do about it — both as an end user installing a binary addon and as an addon author using this helper.

What changes in npm 12

  • preinstall / install / postinstall scripts of dependencies do not run unless the dependency is explicitly allowed.
  • The implicit node-gyp rebuild for packages with a binding.gyp does not run either — so the classic build-from-source flow is gated the same way as the prebuilt download.
  • prepare scripts of git / file / link dependencies are gated as well.

npm 11.16.0 (May 2026) introduced the same machinery in advisory mode: scripts still run, but an end-of-install summary names every package with unreviewed install scripts. npm 12 turns that into a hard block.

Why it matters for this project

install-from-cache runs as the consuming addon's install script. Under npm 12 defaults, a plain npm install <addon> runs neither the prebuilt-artifact download nor the node-gyp fallback — the addon ends up without its binary, and the first require() of it fails with a missing-module error. Nothing in this helper can bypass the gate: it is a consumer-side security decision, the same one that hits every native addon (Playwright, Puppeteer, Electron, sharp, ...).

For end users: approving an addon

Approve the addon once per project — npm records the approval in your package.json:

npm install some-addon       # npm warns: install scripts were not run
npm approve-scripts some-addon
npm rebuild some-addon       # runs the addon's install script now

Or pre-approve before installing, by adding to your project's package.json:

{
  "allowScripts": {
    "some-addon": true
  }
}

Useful details:

  • Approvals are version-pinned by defaultnpm approve-scripts some-addon writes "some-addon@1.2.3": true, so a version update re-prompts. Use npm approve-scripts --no-allow-scripts-pin some-addon to approve all versions.
  • npm approve-scripts --allow-scripts-pending lists the packages awaiting review without changing anything.
  • npm deny-scripts some-addon records an explicit refusal (the addon will not build; you will get the missing-binary error at runtime).
  • On npm 11.16.0+ (before npm 12) everything still works without approval — you just see the summary warning. Approving early means no surprises in July.

For addon authors using this helper

  • Document the approval step in your install instructions — a one-liner with npm approve-scripts <your-package> next to your npm install <your-package> line. A user who knows the command fixes the problem in seconds; a user who doesn't gets a cryptic missing-.node error at runtime.
  • Consider the failure mode in your loading code: if your addon prints a helpful message when its binary is missing ("run npm approve-scripts <your-package> and npm rebuild <your-package>"), the npm-12 experience becomes self-explanatory.
  • There is nothing to change on the helper's side — the gate fires before any script of your package runs. Watch npm for package-side metadata that could smooth approval (pnpm's onlyBuiltDependencies is the precedent); none exists yet.

Sources

🔍 Search the wiki

install-artifact-from-github

Reference

Guides

Project

Used by node-re2

Clone this wiki locally