![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4rnMZgOYbsYr65UN9AZ3oFzcAwqXSYqgRfjUGpeaQeyP-0OAaqJ9aceXPAiujRKwyGQMa_4ShcSvtOWPb9T3qpqF2LATAw2U4iA7IkU9ok0alDbzN_WYJeaZ1SrF0-vyRrEHGedMEcCeP2otYYqplHmqEBda1R_MePbWgEpt-b-GB_RhxJLDC1pJFV0S0/s1600/npm-security.png\")
GitHub recently introduced new controls for npm to enhance the security of the software supply chain. The new feature, staged publishing, allows maintainers to approve a release before it is publicly available for installation.
With staged publishing, a human maintainer must pass a two-factor authentication (2FA) challenge to approve a package before it is pushed to npmjs[.]com.
According to GitHub, this change ensures a \”proof of presence\” for every publish, even for non-interactive CI/CD workflows and trusted publishing with OpenID Connect (OIDC) authentication.
Before using staged publishing, package maintainers need to meet specific criteria, including having publish access to the package, the package already existing on the npm registry, and 2FA being enabled for the account.
Developers can use the command \”npm stage publish\” to submit a package to a staging area. GitHub recommends pairing staged publishing with trusted publishing for optimal protection.
Another update from GitHub introduces three new install source flags alongside the existing -allow-git flag, giving developers more control over installations from different sources.
These developments come at a crucial time as software supply chain attacks targeting open-source ecosystems have been on the rise, emphasizing the importance of security measures like staged publishing and explicit-allowlist approaches.
