GitHub Changelog:npm bulk trusted publishing config and script security now generally available #716
Description
npm bulk trusted publishing config and script security now generally available
Two new features are available today in npm CLI v11.10.0+:
- Bulk configuration for OIDC trusted publishing: Maintainers can now add or update trusted publishing configurations across multiple packages in a single operation using the
npm trustcommand instead of configuring each package individually. - New
--allow-gitflag for npm install: Git dependencies—direct or transitive—can include.npmrcfiles that override the git executable path. This enables arbitrary code execution during install even when using--ignore-scripts. The new--allow-gitflag gives you explicit control over this behavior.
The flag defaults to all for backward compatibility, but we highly encourage using --allow-git=none now and only reenabling it when git dependencies are truly necessary:
npm install --allow-git=none
--allow-git=none is expected to become the default in npm CLI v12. See the npm install –allow-git documentation for details.
Join the discussion within GitHub Community.
The post npm bulk trusted publishing config and script security now generally available appeared first on The GitHub Blog.
🔗 View original changelog entry
📅 Published: Wed, 18 Feb 2026 18:11:24 +0000