Starting in July 2026, npm v12 will disable automatic script execution and remote dependency resolution to mitigate supply chain attacks. Developers must explicitly allow these behaviors to prevent malicious code from executing during package installation.