{"id":15091,"date":"2026-05-25T03:01:44","date_gmt":"2026-05-25T03:01:44","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=15091"},"modified":"2026-05-25T03:01:44","modified_gmt":"2026-05-25T03:01:44","slug":"npm-provides-2fa-gated-publishing-and-bundle-set-up-controls-in-opposition-to-provide-chain-assaults","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=15091","title":{"rendered":"npm Provides 2FA-Gated Publishing and Bundle Set up Controls In opposition to Provide Chain Assaults"},"content":{"rendered":"


\n<\/p>\n

\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Could 23, 2026<\/span><\/span>Software program Provide Chain \/ DevSecOps<\/span><\/p>\n<\/div>\n

\n
\"\"<\/a><\/div>\n

GitHub has rolled out new controls for npm to enhance the safety of the software program provide chain, giving maintainers the flexibility to explicitly approve a launch previous to the packages changing into publicly obtainable for set up.<\/p>\n

Referred to as staged publishing, the characteristic is now typically obtainable on npm. It mandates {that a} human maintainer cross a two-factor authentication (2FA) problem to approve a bundle earlier than it’s pushed to the npmjs[.]com.<\/p>\n

“As a substitute of a direct publish that instantly makes a bundle model obtainable to shoppers, the prebuilt tarball is uploaded to a stage queue the place a maintainer should explicitly approve it earlier than it turns into installable,” GitHub stated<\/a>.<\/p>\n

The Microsoft-owned subsidiary stated the change ensures “proof of presence” for each publish, together with those who come from non-interactive CI\/CD workflows and trusted publishing with OpenID Join (OIDC) authentication.<\/p>\n

Earlier than utilizing staged publishing<\/a>, bundle maintainers have to satisfy the next standards –<\/p>\n