NPM's decision to make major, breaking changes in v12 including defaulting allowscripts, --alllow-git and --allow-remote to off is exactly the right call, as much as it's going to hurt.

Far as I can tell this isn't just breaking their entire install model, it's breaking an entire ethos of that ecosystem. An incredibly difficult decision to make, even in full confidence that it's the right one. The old approach just couldn't be made to work.

https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/