npm introduces 2FA for releases and controls installation sources

Colleagues, a security update: npm has introduced staged publishing and new flags to control installation sources.
Staged publishing requires a maintainer’s 2FA confirmation before a package becomes available; it requires npm CLI ≥11.15, 2FA enabled, and the package already present in the registry.
The flags --allow-file, --allow-remote and --allow-directory explicitly permit installs from local files, URL archives and directories.
GitHub recommends combining staged publishing with trusted publishing via OIDC.
Why it matters: these measures strengthen proof of presence and raise the bar against mass package poisoning.
How will your team adapt package publishing and installation processes?
#cybersecurity #supplychain #npm #DevSecOps


Latest comments
No comments yet.