Connect Clawsmith to your coding agent. Ship products like crazy.Unlimited usage during betaGet API Key →
← Back to dashboard
clawsmith.com/signal/npm-v12-install-script-migration-scanner
IssueUnderserveddev_tool_cliLive

A CLI tool that scans a JavaScript project for npm v12 install script breakage and generates a risk-annotated allowlist before July 2026

npm v12 (shipping July 2026) disables all package install scripts by default, silently breaking any project that uses native-build packages such as sharp, bcrypt, canvas, sqlite3, fsevents, or bufferutil that rely on node-gyp. Developers must audit every transitive dependency for script usage, risk-score each one against supply chain attack history (the Miasma worm of June 1, 2026 exploited exactly this vector on Red Hat npm packages), and commit a verified allowlist to package.json before July. No existing tool combines dep-tree scanning, risk scoring from known-compromised package history, and allowlist generation in a single workflow. The migration is manual today and CI pipelines will fail silently on upgrade.

Product Idea from this Signal

A CLI tool that scans a project dependency tree for npm v12 breaking-change exposure and outputs a prioritized migration plan

1.9k

npm v12 ships in July 2026 and makes three previously implicit behaviors opt-in: lifecycle install scripts from dependencies, git-sourced packages, and remote-URL packages. A project can have hundreds of transitive dependencies and no quick way to know which ones will break at upgrade time. This CLI walks the full lockfile, classifies every dependency by its exposure type, checks whether each package has a binding.gyp or explicit install-script hook, flags git and remote-URL entries, and produces a prioritized allowlist-ready migration report with per-package risk scores and one-command fixes. It is not a general vulnerability scanner and not a dependency version updater; it is specifically scoped to the v12 breaking-change surface and outputs a commit-ready package.json allowScripts block plus CI patch instructions.

npmdev-toolingsecuritymigrationnodejsclisupply-chain
Competitive396 leadsView Opportunity →

Score Breakdown

HN
1,915

Social Proof 2 sources

HN
Malicious npm packages detected across Red Hat Cloud Services
6/1/2026
1,228HN
Upcoming breaking changes for npm v12
6/9/2026
687

Gap Assessment

UnderservedExisting solutions leave gaps

lavamoat/allow-scripts generates an allowlist but has no risk scoring or supply chain history. Socket.dev and Snyk scan for malware but do not produce npm v12 allowlists or migration-ready CI patches. pnpm has its own allowlist mechanism but npm users cannot use it. The specific combination of dep-tree scanning plus historical compromise risk scoring plus npm v12 allowlist output plus CI patch is not covered by any single tool.

Virality Score
1,915
across 0 platforms
Details
Signalissue
Ecosystemdev_tool_cli
Sources2
Platforms0
Updatedunknown
Trend→ stable
Top ideas
All ideas →
0A CLI tool that runs a project's workloads across two Bun versions and reports behavioral and performance regressions before a version bump ships0A CLI tool that ingests CI run logs after a supply-chain compromise and produces a per-secret rotation impact map across repos and providers0A CLI tool that scans a project dependency tree for npm v12 breaking-change exposure and outputs a prioritized migration plan
Related signals
All signals →
3.1KClaude Code entire source code leaked via npm missing .npmignore — 2095 HN points2.4KOpenClaw v2026.3.22 Breaks Dashboard UI and WhatsApp for npm Users2.3Knpm Supply Chain Attacks Targeting MCP Packages: Backdoored MCP Servers Exfiltrate Secrets at Scale