Skip to content

New npm features for secure publishing and safe consumption

Now you can create tokens with fine-grained permissions for automating your publishing and organization management workflows. And a new code explorer allows you to view content of a package directly in the npm portal.

New npm features for secure publishing and safe consumption
Author

We are excited to announce two new features for a safer npm package ecosystem experience: granular access tokens and the npm code explorer.

Stolen credentials are one of the main causes of data breaches. Safeguarding credentials can be a challenging task and the supply chain impact of a compromised token with broad permissions can be severe. To help npm maintainers more effectively manage their risk exposure to token compromise, we are introducing a granular access token type for npm. This new token allows npm package maintainers and org owners to create fine-grained access tokens.

For consumers of npm packages, we are introducing a new code explorer. Today, developers must download an npm package to inspect its contents. While performing an npm install to inspect and verify package contents is straightforward, it is not guaranteed to be a secure operation. The installed package may contain malicious or otherwise detrimental code which can be deployed on your system through, for example, malicious install scripts.

With the npm code explorer, you can now view the contents of a package directly from the npm portal. This enables you to scrutinize the package before using it. Also, the code explorer was previously a paid feature, but it is now updated and available publicly for free!

Granular access tokens help publishers create tokens with limited access

npm has supported automation tokens for quite some time. Automation tokens allow you to publish to any packages that the owner of the token has permission to. Until now, it was not possible to create tokens with a least privilege model—to limit the impact of an accidental or deliberate misuse of the token. The new granular access tokens will allow you to do exactly this. You can now create tokens that can publish only to a limited set of packages and/or scopes.

Prior to granular access tokens, npm organization owners were limited in their ability to automate the management of their organization, team, and its members. Organization owners were dependent on publish tokens to integrate their npm automations. Publish tokens are intended for interactive workflows, such as the npm CLI, and using them in automation was not recommended and often not feasible because of 2FA requirements.

Granular access tokens will allow npm organization owners to automate org management. You can now create tokens to manage one or more organizations, their teams, and members.

Granular access tokens also let you limit npm API access based on allowed IP ranges and come with an expiration period of up to one year. Since less than 10% of the tokens in npm are being regularly used, this leaves a lot of npm tokens unnecessarily active, which increases the potential for such a long-lived token to eventually be compromised. Regularly rotating tokens and aggressively limiting their expirations to the minimum requirement significantly reduces the number of attack vectors on your npm organization.

Read more about granular access tokens from our documentation here.

Code explorer gives visibility into the contents of a package directly from the npm portal

Code explorer was a paid feature and available for teams and pro users for several years now. We are happy to make a new and improved code explorer available publicly for free. The updated code explorer is more stable, faster, and works for almost all packages in the npm registry. We wanted to make this awesome feature available for all developers so that they can inspect the package before installing it. It provides syntax highlighting for .js, .ts, .md, .json, .css and other popular languages/markups used in npm packages. You can also view content of any prior version of a package. We have internally been using code explorer since past few months to inspect packages reported as malicious.

If you’re using code explorer, we’d love to hear your feedback in our dedicated discussion.

An update on 2FA adoption

In addition to these two new features, npm has continued its commitment to improving the security of the npm ecosystem and as of November 1, 2022, we have begun enrolling all maintainers of high-impact packages into mandatory 2FA for their accounts. High‐impact packages are packages with more than 1 million weekly downloads and/or have more than 500+ dependents.

This increased 2FA adoption will help strengthen the security of the npm JavaScript ecosystem by defending against account hijacking, which remains the number one source of security incidents. Over 200 billion packages are downloaded from npm every month, and these high impact packages account for 93% of the traffic. And, to ensure developers do not encounter additional friction under mandatory 2FA, we’ve made a number of improvements for an enhanced 2FA experience, including improved npm account recovery workflow. You can now indicate additional sources of identity verification on your npm profile, such as linked GitHub accounts and social media accounts.

We appreciate your hard work and enthusiasm in keeping the JavaScript ecosystem both thriving and secure, and we hope you enjoy these new features as we continue to work to improve the security of npm. If you have feedback, questions, suggestions, or concerns, we’d love to hear about it!

Explore more from GitHub

Open Source

Open Source

Gaming, Git, new releases, and more.
The ReadME Project

The ReadME Project

Stories and voices from the developer community.
GitHub Actions

GitHub Actions

Native CI/CD alongside code hosted in GitHub.
Work at GitHub!

Work at GitHub!

Check out our current job openings.