Npm registry sets stage for more secure package publishing

Npm registry sets stage for more secure package publishing

Jump to main content

REG AD

AI + ML

Npm registry sets stage for more secure package publishing All the world's a stage, and all the packages are merely players

Thomas Claburn Thomas Claburn

Senior reporter

Published thu 21 May 2026 // 20:54 UTC

GitHub's npm package registry has rolled out a publishing approval step to prevent the distribution of compromised packages before they can poison the software supply chain.Modern software development relies on imported bundles of code known as packages (and sometimes libraries or modules). In the past decade or so, miscreants have focused on gaining access to the accounts of package maintainers. Subverting a widely used package offers a fast track to malware distribution.Last December, amid the Shai-Hulud 2.0 campaign that compromised software packages, GitHub described a series of planned security measures intended to harden security for npm package publishers.

REG AD

One of the measures, staged publishing, has now been implemented. GitHub on Wednesday merged npm stage into npm CLI (v11.15.0) and has updated the registry documentation that describes the process.

REG AD

Staged publishing might also be called gated publishing – it requires a project maintainer to approve changes to a package that has been staged for release. It's been under discussion since 2020. MORE CONTEXT AI is getting expensive, but relief is on the way - just not for you

Deus ex machina: Half of US Christians trust AI's spiritual advice

Flipper One wants to be the Linux multi-tool in your pocket

Web devs sleeping with the enemy: AI is doing their job and they worry it's after their desk too

"Instead of publishing directly with npm publish, you can submit packages to a staging area with npm stage publish," the documentation explains. "A maintainer must then review and explicitly approve the staged package — with two-factor authentication (2FA) via the CLI or npmjs.com — before it becomes publicly available."This process should have particular value for automated workflows, which typically don't include a way to authorize via 2FA. Automated workflows often rely on tokens for authentication, but these can be copied and stolen.Tokens that remain valid for long periods of time become attractive targets for cyberattackers. That's why GitHub did away with long-lived classic tokens and encouraged the use of short-lived session tokens and permission-limited access tokens for automation. GitHub's discontinuation of classic tokens hasn't gone all that well because short-lived tokens tend to expire at inconvenient times – no one likes having to regenerate tokens every 90 days or less and then go through the reconfiguration process.Staged publishing should make it easier for developers to set up maintainable workflows without burdensome re-authentication rituals. It gives package publishers the option to stage their package via automation and to delay the 2FA approval for publishing at a later date. GitHub offers trusted publishing as a way to establish trust between npm and the developer's CI/CD provider using OpenID Connect (OIDC) authentication. The OIDC mechanism still doesn't work when trying to publish a package for the first time, but together with staged publishing, the software supply chain looks a bit more defensible – so long as developers avail themselves of these tools. ®

npm github ai + ml ai software supply chain security package publishing two-factor authentication

REG AD

Ucell and ZTE complete large-scale deployment of AI‑Powered green network solution in Uzbekistan

Network-wide rollout boosts energy efficiency by 10.6%, cutting carbon emissions and operational costs without compromising user experience

SaaS

The SaaS-pocalypse can wait, Salesforce still has customers where it wants them

AI coding agents may make software cheaper to build, but switching off major platforms remains expensive, risky, and deeply annoying

ZTE Day Indonesia 2026 strengthens AI innovation and digital infrastructure collaboration to accelerate Indonesia's digital transformation

The annual tech showcase highlights next-gen AI, cloud, and future-ready ICT solutions while uniting ecosystem partners to build the foundation for the nation's AI era

Personal Tech

HP customer claims firmware update shoved printer off support cliff

Internal notes point to cloud connectivity woes for older OfficeJets, though company denies systemic issue

Columnists

Utah tells porn sites to take the P out of VPNs, and it's their fault that they can't

Governments can't touch VPNs technically or commercially. The mess they'll make if they try will be off the scale

Systems

EU's digital sovereignty boo-boo may be the best thing to ever happen to the project

DIY or die. Just don't let the CIA buy it

MOST POPULAR

Security America's top cyber-defense agency left a GitHub repo open with passwords, keys, tokens – and incredibly obvious filenames Systems Intel's CEO reveals early hiring challenges as bankruptcy concerns deterred top talent Off-Prem Google Cloud suspended major customer Railway.com without cause, causing outage