GitHub introduces staged publishing and new install-time controls for NPM
6 hours ago
- #npm
- #supply-chain-security
- #staged-publishing
- Staged publishing is now generally available, requiring maintainer approval before packages become installable.
- Staged publishing enforces proof of presence with 2FA for approval, even from CI/CD workflows or OIDC trusted publishing.
- Requirements include npm CLI 11.15.0+ and updating CI/CD workflows to use 'npm stage publish' instead of 'npm publish'.
- Recommended setup pairs staged publishing with trusted publishing (OIDC), allowing CI to stage packages and maintainers to approve later.
- New install-time control flags (--allow-file, --allow-remote, --allow-directory) complement existing --allow-git for explicit allowlisting of nonregistry install sources.
- Flags accept 'all' (current default) or 'none' and can be set in .npmrc or package.json config, with stricter defaults planned for future versions.
- Feedback is encouraged via a GitHub Community discussion.