VMTech
+381 11 4150 20024/7 Discuss a project
← All Instagram insights VMTECH · INSTAGRAM

npm introduces 2FA for releases and controls installation sources

npm вводит 2FA-одобрение релизов и контроль источников установки

Colleagues, a security update: npm has introduced staged publishing and new flags to control installation sources.

Staged publishing requires a maintainer’s 2FA confirmation before a package becomes available; it requires npm CLI ≥11.15, 2FA enabled, and the package already present in the registry.

The flags --allow-file, --allow-remote and --allow-directory explicitly permit installs from local files, URL archives and directories.

GitHub recommends combining staged publishing with trusted publishing via OIDC.

Why it matters: these measures strengthen proof of presence and raise the bar against mass package poisoning.

How will your team adapt package publishing and installation processes?

#cybersecurity #supplychain #npm #DevSecOps

Latest comments

No comments yet.