npm has rolled out new controls, allowing maintainers to stage package releases and mandate two-factor authentication (2FA) approval before packages are publicly installable, aiming to combat supply chain attacks.
GitHub has implemented new controls on npm to enhance the security of the software supply chain. This feature, known as staged publishing, empowers maintainers to explicitly approve a release before packages are made publicly available for installation. The process now requires a human maintainer to successfully pass a two-factor authentication (2FA) challenge to authorize the publication.