GitHub has introduced staged publishing for npm, requiring human maintainer approval with 2FA before packages become publicly installable, adding stronger proof of presence for releases. It also added new install source flags to help developers tightly control non-registry installs amid a surge in supply chain attacks, including large-scale package poisoning by TeamPCP. #npm #GitHub #TeamPCP
Keypoints
- Staged publishing is now generally available on npm.
- Maintainers must approve releases with 2FA before packages are published.
- The feature adds proof of presence for interactive and CI/CD-based publishes.
- Developers must use npm CLI 11.15.0 or newer to stage a publish.
- GitHub also added allow flags for file, remote, and directory install sources.
Read More: https://thehackernews.com/2026/05/npm-adds-2fa-gated-publishing-and.html