{
  "id": "P010",
  "slug": "npm-v12-lifecycle-scripts-default-security-ignore-scripts-dependencies-npm-trusted-dependencies",
  "status": "search-observed",
  "product": "npm",
  "family": "Security default flip",
  "canonical_url": "https://gitdocs.org/fix/npm-v12-lifecycle-scripts-default-security-ignore-scripts-dependencies-npm-trusted-dependencies",
  "query_alias_url": "https://gitdocs.org/q/npm-v12-lifecycle-scripts-default-security-ignore-scripts-dependencies-npm-trusted-dependencies",
  "markdown_url": "https://gitdocs.org/fix/npm-v12-lifecycle-scripts-default-security-ignore-scripts-dependencies-npm-trusted-dependencies.md",
  "json_url": "https://gitdocs.org/api/fixes/npm-v12-lifecycle-scripts-default-security-ignore-scripts-dependencies-npm-trusted-dependencies.json",
  "canonical_query": "npm v12 lifecycle scripts default security ignore scripts dependencies npm trusted dependencies",
  "observed_codex_queries": [
    "npm v12 lifecycle scripts default security ignore scripts dependencies npm trusted dependencies",
    "site:docs.npmjs.com npm ignore-scripts lifecycle scripts install",
    "npm docs ignore-scripts config",
    "https://docs.npmjs.com/cli/v11/using-npm/config",
    "'allow-scripts' in https://docs.npmjs.com/cli/v11/using-npm/config"
  ],
  "organic_dependency_search_count": 5,
  "affected_versions": "",
  "exact_errors": [],
  "diagnosis": "The repository can show the old configuration and a generic denial, but only the current external policy identifies the newly required allow-list or opt-out.",
  "before": "",
  "after": "",
  "verification": "Hidden verifier checks the least-permissive current configuration and confirms the blocked capability is restored without globally disabling the protection. Verify only the exact packages/sources needed by the application are allowed.",
  "unsafe_fixes": [
    "Changing local code without checking the current external contract.",
    "Retrying the same install, build, or API call with no version/source change.",
    "Applying a broad unsafe bypass when a narrow compatibility fix is available."
  ],
  "last_verified_at": "2026-06-25",
  "neutral_validation": {
    "organic_search_observed": true,
    "organic_strict_pass": true,
    "no_web_counterfactual_run": false,
    "no_web_strict_pass": null,
    "search_necessity_under_fixture": null,
    "no_web_oracle_note": "Observed query evidence is separated from necessity proof; no-web and stale-contract counterfactuals should be tracked separately."
  },
  "source_trail": [
    {
      "url": "https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/",
      "label": "Upcoming breaking changes for npm v12"
    },
    {
      "url": "https://docs.npmjs.com/cli/v11/using-npm/config",
      "label": "Official reference opened by Codex"
    }
  ],
  "source_github_links": []
}