staged publishing
Coverage of staged publishing in the Nexus archive.
- npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks
GitHub has introduced staged publishing on npm, requiring maintainers to approve package releases via two-factor authentication (2FA) to enhance software supply chain security. This feature aims to prevent unauthorized or malicious package distributions by mandating human verification before public installation.
- GitHub introduces staged publishing and new install-time controls for NPM
GitHub has introduced staged publishing for NPM packages, allowing developers to delay public visibility until ready. New install-time controls help manage package versions and dependencies during installation, enhancing security and reliability for NPM users.
- Npm registry sets stage for more secure package publishing
GitHub has implemented staged publishing for npm packages, requiring maintainer approval via two-factor authentication before packages become publicly available. This security measure aims to prevent compromised packages from poisoning the software supply chain by addressing the vulnerability of automated workflows that rely on tokens. The feature, discussed since 2020, works alongside trusted publishing using OIDC authentication to improve overall package security.