Skip to content

npm Introduces 2FA-Controlled Publishing and Package Installation Controls

In a nutshell: npm gains new security features: staged publishing with 2FA validation and package installation controls are designed to curb supply-chain attacks.

GitHub has released new security controls for npm that enable package maintainers to explicitly approve releases before public availability. The new system protects the software supply chain from supply-chain attacks.

GitHub has introduced comprehensive security measures for npm to ensure the integrity of the software supply chain. The central new feature is so-called “Staged Publishing” – a staged release that is now generally available.

With this method, a pre-compiled package is first uploaded to a staging queue instead of being published directly. A package maintainer must then confirm two-factor authentication (2FA) to release the package for installation. This ensures that every release is validated by a human – even with automated CI/CD workflows and trusted publishing via OpenID Connect (OIDC).

To use staged publishing, developers must meet several prerequisites: publishing access to the package, which must already exist in the npm registry (new packages cannot be staged), and 2FA must be enabled. The package is submitted for approval using the “npm stage publish” command.

In parallel, GitHub is introducing three new install source flags that work together with the existing –allow-git flag: –allow-file for local file paths and tarballs, –allow-remote for remote URLs including HTTPS tarballs, and –allow-directory for local directories. These controls allow developers to apply an explicit allowlist procedure to all non-registry installation sources.

These measures respond to a massive wave of supply-chain attacks against open-source ecosystems. Cybercriminal groups such as TeamPCP have recently poisoned popular packages at an unprecedented scale through self-perpetuating compromises.

Share on: