Bulk OIDC Trusted Publishing Configuration

Maintainers can now configure OIDC trusted publishing across multiple packages simultaneously using the new npm trust command. This eliminates the need to individually configure each package, streamlining the process of setting up automated, keyless authentication for package publishing.

Git Dependency Security Controls

A critical new security feature addresses a supply chain vulnerability: git dependencies—whether direct or transitive—can include .npmrc files that override the git executable path, potentially enabling arbitrary code execution during npm install even when using --ignore-scripts.

The new --allow-git flag provides explicit control over this behavior:

• --allow-git=all (current default): Allows all git dependencies
• --allow-git=none: Blocks git dependencies entirely
• Additional granular options available for finer control

Recommended action: Start using --allow-git=none in your workflows now. The npm team expects this to become the default in npm CLI v12, so adopting it early prevents future disruptions.

Migration Path

While the current default is all for backward compatibility, developers should audit their dependency trees and explicitly set --allow-git=none unless git dependencies are genuinely required. The shift to a secure-by-default posture represents a meaningful change in how npm handles supply chain risk.