TL;DR: npm v12 (targeted July, 2026) is an upstream release that impacts how `npm install` behaves: dependency lifecycle scripts no longer run, Git and remote-URL dependencies no longer resolve, and `npm-shrinkwrap.json` support is removed.
You are affected if you install npm with `apk add npm`, or if you build on a Chainguard image that bundles npm (see list below). No action is required if your npm usage does not rely on these behaviors. If they do, test now with npm 11.16.0 or newer via How to Prepare for and Migrate to npm v12.
Effective Change Date: July 27, 2026 (targeted)
What's changing
These are upstream npm changes, not Chainguard-specific behavior. They affect you in two ways: when you install the Chainguard npm package with `apk add npm`, and when you build on a Chainguard image that bundles npm.
- Dependency lifecycle scripts are off by default. npm install no longer runs preinstall, install, or postinstall scripts from dependencies unless you allow them. This also blocks native node-gyp rebuilds and the prepare scripts from Git, file, and link dependencies.
- Git dependencies are off by default. npm install no longer resolves Git dependencies, direct or transitive, unless you allow them with --allow-git=all.
- Remote-URL dependencies are off by default. npm install no longer resolves dependencies from remote URLs, such as HTTPS tarballs, unless you allow them with --allow-remote=all. The --allow-file and --allow-directory defaults do not change.
- npm-shrinkwrap.json support is removed. The npm shrinkwrap command and the shrinkwrap config alias are removed. Any npm-shrinkwrap.json is ignored, both at a project root and inside dependency tarballs.
Why we’re making this change
These defaults come from upstream npm and reduce supply-chain risk by removing code-execution and resolution paths that run automatically during install. Chainguard tracks upstream npm, so the new defaults arrive in the Chainguard npm package and in the images that bundle it when they update to npm v12.
Do you need to do anything?
You're in scope if you use apk add npm or build on one of these images (production and -dev variants both affected):
| Affected images |
| node |
| node-fips |
| pulumi |
| litellm |
| renovate |
| renovate-fips |
| librechat |
| librechat-fips |
| cadence-web |
| cadence-web-fips |
| request-306 |
| cypress-base |
| scanner-test |
| tileserver-gl |
| tileserver-gl-fips |
| actions-runner |
| kubeflow-centraldashboard |
Within those, action is only needed if your build or runtime does any of the following:
- Runs dependency install scripts. These are common in native modules that build with node-gyp (such as bcrypt or better-sqlite3) and in tools that download a binary on install (such as Playwright or Puppeteer). This is not an exhaustive list.
- Installs Git or remote-URL dependencies.
- Relies on a committed or published npm-shrinkwrap.json to pin its dependency tree.
To check: run your install on npm 11.16.0 or newer and read the warnings, which list exactly what will be affected under v12.
Need help or have questions?
We're here to help - visit our support portal at support.chainguard.dev.
- Chainguard Team
Comments
0 comments
Please sign in to leave a comment.