npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks
npm now requires 2FA approval for staged package publishing and adds install source flags — a major step to harden the software supply chain against malicious package injection.
What’s new: GitHub has introduced new security features for npm, including staged publishing that requires maintainers to approve package releases via two-factor authentication (2FA) before they become publicly available. This feature aims to enhance the security of the software supply chain by ensuring a human maintainer’s presence during the publishing process. Additionally, npm has added new install source flags to control installations from various sources, including local files and remote URLs.
Who’s affected
Package maintainers on npm who have publish access and have enabled 2FA on their accounts will be directly affected by the new staged publishing feature. Developers using npm will also need to adapt to the new install source flags.
What to do
- Ensure that 2FA is enabled for your npm account to utilize the staged publishing feature.
- Update to npm CLI version 11.15.0 or newer to access the new commands.
- Familiarize yourself with the new install source flags: –allow-file, –allow-remote, and –allow-directory, to manage package installations securely.
