Github / Microsoft could easily fix this, couldn't they? Leaving NPM up in its current state seems criminal, especially since LLMs generate NPM commands so frequently.
Github / Microsoft could easily fix this, couldn't they? Leaving NPM up in its current state seems criminal, especially since LLMs generate NPM commands so frequently.
They have some changes here in v12: https://github.blog/changelog/2026-06-09-upcoming-breaking-c...
And the discussion here, with 215 comments: https://news.ycombinator.com/item?id=48467705
Is it possible to fix it in a backwards compatible way? Removing lifecycle scripts is at least a semver major change, and would complicate existing projects relying on packages with lifecycle scripts from upgrading.
This is a real world trolley problem scenario. You can break workflows or you can let everyone get pwned by supply chain attacks. Which is the greater harm?
People will not adopt a safer version if it broke their workflows. Adoption is part of preventing supply chain attacks.
They will if it's the only version. Eventually.