{
  "id": "P006",
  "slug": "npm-transitive-git-dependency-blocked-security-default-git-dependency-prepare-scripts",
  "status": "search-observed",
  "product": "npm",
  "family": "Security default flip",
  "canonical_url": "https://gitdocs.org/fix/npm-transitive-git-dependency-blocked-security-default-git-dependency-prepare-scripts",
  "query_alias_url": "https://gitdocs.org/q/npm-transitive-git-dependency-blocked-security-default-git-dependency-prepare-scripts",
  "markdown_url": "https://gitdocs.org/fix/npm-transitive-git-dependency-blocked-security-default-git-dependency-prepare-scripts.md",
  "json_url": "https://gitdocs.org/api/fixes/npm-transitive-git-dependency-blocked-security-default-git-dependency-prepare-scripts.json",
  "canonical_query": "npm transitive git dependency blocked security default git dependency prepare scripts",
  "observed_codex_queries": [
    "npm transitive git dependency blocked security default git dependency prepare scripts",
    "npm install fails transitive git dependency security change prepare script git dependency npm 7",
    "\"transitive git dependency\" npm blocked",
    "npm v7 block git dependencies security default",
    "site:docs.npmjs.com package.json git url dependencies npm install git dependencies",
    "npm package spec git dependencies docs npm package-spec",
    "\"security default\" \"npm\" \"git\" dependency"
  ],
  "organic_dependency_search_count": 7,
  "affected_versions": "",
  "exact_errors": [],
  "diagnosis": "The repository can show the old configuration and a generic denial, but only the current external policy identifies the newly required allow-list or opt-out.",
  "before": "",
  "after": "",
  "verification": "Hidden verifier checks the least-permissive current configuration and confirms the blocked capability is restored without globally disabling the protection. Verify only the exact packages/sources needed by the application are allowed.",
  "unsafe_fixes": [
    "Changing local code without checking the current external contract.",
    "Retrying the same install, build, or API call with no version/source change.",
    "Applying a broad unsafe bypass when a narrow compatibility fix is available."
  ],
  "last_verified_at": "2026-06-25",
  "neutral_validation": {
    "organic_search_observed": true,
    "organic_strict_pass": true,
    "no_web_counterfactual_run": false,
    "no_web_strict_pass": null,
    "search_necessity_under_fixture": null,
    "no_web_oracle_note": "Observed query evidence is separated from necessity proof; no-web and stale-contract counterfactuals should be tracked separately."
  },
  "source_trail": [
    {
      "url": "https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/",
      "label": "Upcoming breaking changes for npm v12"
    }
  ],
  "source_github_links": []
}