GitHub, the Microsoft-owned company, has introduced new security measures for npm to bolster the safety of the software supply chain. These enhancements allow package maintainers to confirm releases before they are publicly accessible, aiming to prevent supply chain attacks.
Implementation of Staged Publishing
A key feature, staged publishing, is now available on npm, requiring maintainers to pass a two-factor authentication (2FA) challenge to authorize a package release. This process involves uploading a prebuilt tarball to a staging queue, where it awaits explicit approval from a maintainer before becoming installable.
According to GitHub, this update ensures proof of presence for every package publication, including those stemming from non-interactive CI/CD workflows and trusted OpenID Connect (OIDC) authentication. Only packages already existing on the npm registry are eligible for staging, and maintainers must have publish access and 2FA enabled on their accounts.
Command Updates and Additional Recommendations
Developers can submit packages to staging using the command ‘npm stage publish’ from the package’s root directory. This requires npm CLI version 11.15.0 or later. GitHub advises combining staged publishing with trusted publishing via OIDC for enhanced security.
Furthermore, npm has introduced three new install source flags: –allow-file, –allow-remote, and –allow-directory, alongside the existing –allow-git flag. These flags enable developers to specifically allow installations from local file paths, remote URLs, and local directories, providing a more granular control over non-registry install sources.
Addressing Increasing Supply Chain Threats
These developments are a response to a notable increase in software supply chain attacks targeting open-source ecosystems. One group, TeamPCP, has been particularly active, compromising popular packages at a significant scale.
With these updates, GitHub aims to fortify npm against such threats, safeguarding the integrity of software packages and maintaining trust within the developer community. As the landscape of cybersecurity evolves, these measures are critical in mitigating risks associated with open-source software development.
By implementing these controls, npm seeks to maintain a secure environment for developers and protect the broader software ecosystem from emerging vulnerabilities.
