GitHub has introduced new controls for npm to improve the security of the software supply chain, giving maintainers the ability to explicitly approve releases before packages become publicly available for installation.
This feature, called staged publishing, is now generally available on npm. This mandates that a human maintainer go through a two-factor authentication (2FA) challenge to approve a package before it can be sent to npmjs.[.]com.
“Instead of a direct publish that makes a package version immediately available to consumers, the prebuilt tarball is uploaded to a stage queue, where a maintainer must explicitly approve it before it is installable,” GitHub said.
The Microsoft-owned subsidiary said the change ensures “proof of presence” for every publication, including non-interactive CI/CD workflows and trusted publications with OpenID Connect (OIDC) authentication.
Before using staged publishing, package maintainers must meet the following criteria −
- have publish access to the package
- The package already exists on the npm registry, which means that a brand new package cannot be created.
- 2FA is enabled for the account
Developers can use the “npm stage publish” command from the root directory of the package to submit it to the staging area. To use this command, it is necessary to update to npm CLI 11.15.0 or newer. For optimal security, GitHub is recommending that staged publishing be combined with trusted publishing using OIDC.
The second update focused on npm concerns the introduction of three new install source flags along with the existing -allow-git flag –
- –allow-file: Controls installs from local file paths and local tarballs
- –allow-remote: Controls installs from remote URLs, including https tarballs
- –allow-directories: Controls installs from local directories
The flags allow developers to “apply the same explicit-allowlist approach to every non-registry install source,” GitHub said.
The development comes amid a massive increase in software supply chain attacks targeting the open-source ecosystem over the past few months, including a cybercriminal group known as TeamPCP poisoning popular packages on an unprecedented scale through a self-perpetuating cycle of compromises.
