npm v12 will disable install scripts by default — audit CI/CD pipelines before July

GitHub announced that npm v12 (expected July 2026) disables dependency lifecycle scripts (preinstall/install/postinstall, including implicit node-gyp builds) by default, requires npm approve-scripts for explicit opt-in, and blocks Git/remote-URL dependencies without --allow-git/--allow-remote (GitHub Changelog, 2026-06-09). This is a structural response to the install-script abuse that powered this spring's npm worm wave (Shai-Hulud/Miasma, IronWorm, TeamPCP — coverage 2026-06-06 through 2026-06-10) and brings npm in line with other package managers that already block install scripts by default (BleepingComputer, 2026-06-11). The warnings are live today in npm ≥ 11.16.0. Defender takeaway: this is a breaking change with a security upside — run npm install under 11.16.0 now to enumerate deprecation warnings, build the script allow-list before v12 ships, and treat any pipeline that must keep scripts enabled wholesale as a finding.