GoKawiilToday we’re shipping two updates focused on supply-chain security for npm:
Staged publishing is generally available. New --allow-* install source flags ( --allow-file , --allow-remote , --allow-directory ) complement the existing --allow-git flag.
Both are available in npm CLI 11.15.0 or newer.
Staged publishing is now generally available on npm. Instead of a direct publish that immediately makes a package version available to consumers, the prebuilt tarball is uploaded to a stage queue where a maintainer must explicitly approve it before it becomes installable. The queue is visible both on npmjs.com and in the npm CLI.
Staged publishing reinforces proof of presence on every publish, including those that originate from non-interactive CI/CD workflows and those using trusted publishing with OIDC. A human maintainer with a 2FA challenge is required to approve a staged package before it is released to the registry.
Staged publishing is live today, and so are the docs.
npm CLI 11.15.0 or newer is required to use npm stage .
is required to use . Update CI/CD workflows to use npm stage publish instead of npm publish where you want staged behavior.
We recommend pairing staged publishing with trusted publishing (OIDC). A trusted publishing configuration can be limited to stage-only, which means npm publish from that workflow will be rejected and only npm stage publish is accepted. Your CI workflows continue to run non-interactively, and a maintainer later approves the staged version from the website or the CLI.
You can also run npm stage publish locally, but the highest-value setup is CI publishing to the stage queue and a maintainer approving from a trusted device.
... continue reading