npm RFC #868 will block this package's install script by default

[JamieMagee]

Current behavior

Hi there,

I'm reaching out because cypress is one of the most depended-on npm packages that runs an install script, and an accepted npm RFC is going to change how those scripts behave.

The RFC blocks dependency install scripts by default during npm install. That's the same thing pnpm, Yarn Berry, Bun, and Deno already do. Users opt back in per package through a new allowScripts field in package.json (or the npm approve-scripts command). The motivation is the run of supply-chain attacks over the last couple of years that used postinstall hooks to run code the moment a package landed in the tree.

For cypress, the script that's affected is:

"postinstall": "node dist/index.js --exec install"

That script downloads or builds something cypress needs to work, so under the new default it won't run unless the user adds cypress to their allowScripts. Installs that skip it will likely fail at runtime with a missing-binary error, which is a confusing failure mode for your users. The most robust fix is to move that work to first use, the first time the package is actually run, so it keeps working with no allowlist entry. If it has to stay at install time, please document the allowScripts line prominently in your README.

I wanted to flag this early so you've got time to plan rather than find out when the install warnings start showing up. The full RFC is here: npm/rfcs#868. Happy to answer any questions.

Debug logs

Cypress Version

15.16.0

Node version

26.3.0

Package Manager

npm

Package Manager Version

12.0.0

Operating system

Linux

Operating System Version

N/A

Other

No response

[MikeMcC399]

@JamieMagee

Can you anticipate when npm 12 will be released and which version of Node.js will have npm 12 bundled?

When the time comes, the https://docs.cypress.io/app/get-started/install-cypress#Package-Manager documentation page could include instructions about using allowScripts with npm, as is already the case for pnpm.

Yarn Berry snuck in later with yarn@4.14.0 in Apr 2026 , setting enableScripts: false as default. That isn't documented yet in the above, but users seem to be coping.

[JamieMagee]

We're aiming to release npm 12 sometime in the next month, but I don't have an exact date for you. I'm not sure which version of Node.js will bundle npm 12, but I can try and find out if it'll be included in 26.x or 27.

[MikeMcC399]

There was no mention that Phase 1 is already implemented in npm@11.16.0

---

Node.js 26.3.0, released June 1, 2026, bumped the bundled npm version to

npm@11.16.0

which added "Phase 1 of allowScripts opt-in install-script policy"

• feat: Phase 1 of allowScripts opt-in install-script policy npm/cli#9360
• feat: Phase 1 of allowScripts opt-in install-script policy (#9360) npm/cli#9415

Install behaviour is unchanged. Scripts still run as they always have. The only Phase 1 user-visible change is one advisory block at the end of npm install listing packages whose install scripts haven't been reviewed via the new allowScripts field in package.json. A future release will turn that advisory into an actual block.

npm approve-scripts documents this command for npm 11

---

Example warning:

npm warn allow-scripts 1 package has install scripts not yet covered by allowScripts:
npm warn allow-scripts   cypress@15.16.0 (postinstall: node dist/index.js --exec install)
npm warn allow-scripts
npm warn allow-scripts Run `npm approve-scripts --allow-scripts-pending` to review, or `npm approve-scripts <pkg>` to allow.

[JamieMagee]

Yes, the first phase was released in npm 11.16.0, but scripts still run by default. There is no breaking behaviour change in that release.

I didn't realise that it had been included in Node.js 26.3.0.

[MikeMcC399]

I also chatted to the Node.js team who referred me to https://github.com/npm/cli/wiki/Integrating-with-node , so on the surface my expectation would be that npm 12 would not make its way into the Node.js bundle until Node.js 27 (Alpha in Oct 2026, Current release in April 2027). That is not to state a definitive decision though, which should probably get worked out between the npm team and the Node.js Technical Steering Committee. This is just a working hypothesis!

Edit: there is now an open issue nodejs/Release#1161 for this discussion, and it seems likely that npm 12 may be bundled into Node.js as a security update.

On the other hand, once npm releases npm 12, users can separately upgrade to this version, on top of what Node.js bundles, so Cypress needs to be prepared for your npm 12 release, which you say is planned for next month.

BTW: The following warning is also output when installing cypress with npm install cypress --global where the advice doesn't really fit. Cypress uses a global install when building its own Docker images and that is where I noticed a mismatch:

npm warn allow-scripts Run `npm approve-scripts --allow-scripts-pending` to review, or `npm approve-scripts <pkg>` to allow.

[JamieMagee]

I updated the warning message for global installs: npm/cli#9469. It'll be included in npm v11.17.0.

[MikeMcC399]

The most robust fix is to move that work to first use, the first time the package is actually run, so it keeps working with no allowlist entry.

This would be a disruptive and breaking change, significantly impacting documentation and testing. I tend to think that this would be a less robust fix, and that the easier fix is to adapt to allow-scripts for npm, as has already been done in a similar way for pnpm and Yarn Modern.

[jennifer-shehane]

@JamieMagee Thanks for surfacing this to us directly! We’re looking into implications of removing postinstall and any other options that will ease disruption for our users.