GitHub has announced significant security enhancements for npm, aimed at bolstering the integrity of the software supply chain. These changes include the introduction of a two-factor authentication (2FA) requirement for package publishing and new controls for package installations.
Staged Publishing Feature
The newly launched staged publishing feature allows package maintainers to approve releases before they are publicly available on npm. This process requires a human maintainer to complete a 2FA challenge, ensuring that a package version is not immediately accessible upon publication. Instead, the package is uploaded to a staging queue, where it awaits explicit approval.
According to GitHub, this change provides a necessary proof of presence for each publication, which is particularly important for packages released through automated CI/CD workflows and those authenticated via OpenID Connect (OIDC).
Requirements for Staged Publishing
To utilize staged publishing, maintainers must meet specific criteria:
- They must have publish access to the package.
- The package must already exist on the npm registry; new packages cannot be staged.
- The account must have 2FA enabled.
Developers can initiate the staging process using the command npm stage publish from the package’s root directory, provided they are using npm CLI version 11.15.0 or newer.
New Install Source Flags
In addition to staged publishing, GitHub has introduced three new install source flags that complement the existing -allow-git flag:
- –allow-file: Controls installations from local file paths and tarballs.
- –allow-remote: Controls installations from remote URLs, including HTTPS tarballs.
- –allow-directory: Controls installations from local directories.
These flags enable developers to implement an explicit allowlist approach for all non-registry installation sources.
Context of the Changes
These updates come in response to a notable increase in software supply chain attacks, particularly targeting open-source ecosystems. A group known as TeamPCP has been reported to poison popular packages at an alarming rate, underscoring the need for enhanced security measures.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
