GitHub announces npm security changes to tackle supply-chain attacks

GitHub is releasing npm v12 next month with default blocking of install scripts during npm install to stop supply-chain attacks. Malicious scripts in dependencies like those in eslint-config-prettier and Toptal's Picasso will no longer run automatically. Git-based and remote URL dependencies now require explicit user approval for script execution. Projects must upgrade to npm 11.16.