software

npm bulk trusted publishing config and script security now generally available

Published: (February 18, 2026 at 01:11 PM EST)
1 min read
Source: GitHub Changelog

Source: GitHub Changelog

New Features in npm CLI v11.10.0+

Two new features are available today in npm CLI v11.10.0+:

  • Bulk configuration for OIDC trusted publishing: Maintainers can now add or update trusted publishing configurations across multiple packages in a single operation using the npm trust command instead of configuring each package individually.

  • New --allow-git flag for npm install: Git dependencies—direct or transitive—can include .npmrc files that override the git executable path. This enables arbitrary code execution during install even when using --ignore-scripts. The new --allow-git flag gives you explicit control over this behavior.

The flag defaults to all for backward compatibility, but we highly encourage using --allow-git=none now and only re‑enabling it when git dependencies are truly necessary:

npm install --allow-git=none

--allow-git=none is expected to become the default in npm CLI v12. See the npm install –allow-git documentation for details.

Join the discussion within the GitHub Community.

0 views
#npm #trusted publishing #OIDC #bulk configuration #allow-git #CLI security #npm install #package management
View source
Share:
Back to Blog

Related posts

Read more »

lazygit-style TUI for NuGet

!Cover image for lazygit-style TUI for NuGethttps://media2.dev.to/dynamic/image/width=1000,height=420,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-up...

Build a Custom Comment Section

Adding a Comment Section to a React App – Without the Bloat > “Every off‑the‑shelf solution either forces its own UI on you, dumps a pile of CSS you never aske...