npm Staged Publishing Requires Human Approval

On May 23, 2026, GitHub announced major security upgrades for the npm package registry to fortify the software supply chain. The changes are a direct response to the escalating wave of attacks targeting open-source ecosystems.

Consequently, the new “staged publishing” feature is now generally available. It mandates that a human maintainer pass a two-factor authentication challenge to approve a package before publication.

“Instead of a direct publish that immediately makes a package version available to consumers, the prebuilt tarball is uploaded to a stage queue where a maintainer must explicitly approve it before it becomes installable,” GitHub stated. This process ensures proof of presence for every publish, including those from automated workflows.

Package maintainers must meet specific criteria to use staged publishing. They need publish access, the package must already exist on the registry, and 2FA must be enabled for their account.

Developers must update to npm CLI 11.15.0 or newer and use the “npm stage publish” command. For optimal protection, GitHub recommends pairing this with trusted publishing using OpenID Connect.

Meanwhile, a second update introduces three new install source flags: –allow-file, –allow-remote, and –allow-directory. These flags allow developers to apply an explicit-allowlist approach to every non-registry install source.

The development comes amid a massive surge in software supply chain attacks. One cybercriminal group known as TeamPCP is poisoning popular packages at an unprecedented scale through a self-perpetuating cycle of compromises.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Hayes Picks Hyperliquid, Slams Other Altcoins
• Bitcoin ETF Outflows Signal Buying Opportunity
• Hedera Contracts Now Verifiable on Sourcify
• Criminal VPN Service Dismantled in Global Operation
• Micron Skeptics: Goldman, Erste Group, BTIG Stay Cautious