BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

npm Staged Publishing Requires Human Approval

GitHub mandates staged publishing and new install flags to secure npm from supply chain attacks.

  • GitHub has introduced mandatory two-factor approval for npm package releases to combat software supply chain attacks.
  • A new “staged publishing” feature requires human maintainers to approve packages before they become publicly installable.
  • New npm install source flags give developers granular control over which non-registry sources are permitted.
  • The security enhancements come as threat actors like TeamPCP escalate attacks on open-source ecosystems.

On May 23, 2026, GitHub announced major security upgrades for the npm package registry to fortify the software supply chain. The changes are a direct response to the escalating wave of attacks targeting open-source ecosystems.

- Advertisement -

Consequently, the new “staged publishing” feature is now generally available. It mandates that a human maintainer pass a two-factor authentication challenge to approve a package before publication.

“Instead of a direct publish that immediately makes a package version available to consumers, the prebuilt tarball is uploaded to a stage queue where a maintainer must explicitly approve it before it becomes installable,” GitHub stated. This process ensures proof of presence for every publish, including those from automated workflows.

Package maintainers must meet specific criteria to use staged publishing. They need publish access, the package must already exist on the registry, and 2FA must be enabled for their account.

Developers must update to npm CLI 11.15.0 or newer and use the “npm stage publish” command. For optimal protection, GitHub recommends pairing this with trusted publishing using OpenID Connect.

- Advertisement -

Meanwhile, a second update introduces three new install source flags: –allow-file, –allow-remote, and –allow-directory. These flags allow developers to apply an explicit-allowlist approach to every non-registry install source.

The development comes amid a massive surge in software supply chain attacks. One cybercriminal group known as TeamPCP is poisoning popular packages at an unprecedented scale through a self-perpetuating cycle of compromises.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Nvidia’s Kyber AI rack delayed to 2028: report

NVIDIA's next-generation Kyber server rack, designed for Rubin Ultra chips, is delayed to 2028...

TrojPix Air-Gap Attack Uses Monitor Cables

Researchers at Shandong University have demonstrated a new covert data exfiltration technique called TrojPix.The...

Bitcoin Reclaims $63k as Crypto Market Sees July Reversal

Bitcoin (BTC) reclaimed $63,000 in early July 2026, signaling a market reversal after a...

2026 ASEAN SHOP Opens in Kuala Lumpur to Drive Southeast Asia’s Smart Retail Growth

KUALA LUMPUR, Malaysia. ASEAN SHOP will host its 2026 edition at the MITEC Pavilion...

Bitcoin Data Strong Amid Selling and Yield Fears

Despite a zero ByteTrend score, the Bitcoin network's weekly on-chain transaction value is $13.5...

Must Read

How to Buy VPS with Crypto from Hostinger – Step by Step guide

Did you know that nowadays you can use Bitcoin to purchase a Windows VPS? If you’re here, you’re probably wondering how to do it....
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading