tl;dr: npm v12 (July 2026) will disable several install-time behaviors by default: lifecycle scripts (preinstall/install/postinstall, including implicit node-gyp builds) won't run unless explicitly allowlisted via `npm approve-scripts`, and Git and remote URL dependencies will require `--allow-git` and `--allow-remote` flags respectively. These changes are already available as warnings in npm 11.16.0+, so users can run installs now, review warnings, approve trusted packages, and commit the resulting allowlist to package.json before upgrading.