npm

track direct and transitive dependencies for npm packages with GitHub’s dependency graph ⬇️ github.blog/changelog/2025…

starting today, developers building npm projects on @GitHub Actions can request a provenance statement to be published alongside their package, giving consumers a verifiable way to link a package back to its source repository and build instructions. github.blog/2023-04-19-int…

Now you can create tokens with fine-grained permissions for automating your publishing and org management workflows. And a new code explorer allows you to view content of a package directly in the npm portal. github.blog/2022-12-06-new…

⚡️ #7: Use npm query and jq to dig into your dependencies youtube.com/watch?v=h_Zpix… You can use the new "npm query" command and jq to answer interesting questions about your package's dependencies #terminalrocks

Today we opened an RFC with a proposal of how npm can collaborate with @projectsigstore to link packages to their source and build, a significant improvement to the supply chain security of the JavaScript ecosystem. github.blog/2022-08-08-new…

🚀 we just shipped npm v8.16.0 with the new `npm query` command 📦 this new feature allows developers to quickly ask & answer questions about their project's dependencies. you can learn more here: github.blog/changelog/2022… ⬇️ to get it now, run: $ npm install -g npm

We've launched a number of security enhancements to npm including: * Improved login and publish experience /w CLI * Connecting GitHub + Twitter accounts * All packages have been resigned and a new command `npm audit signatures` Read more at: github.blog/2022-07-26-int…

do you publish from a npm workspace & use a root-level ignore file? if so, you should update to npm v8.11.0 or the latest versions of Node.js 16/17/18 to avoid a recently discovered vulnerability that wouldn't respect these files. read the advisory here: github.co/3zebIPH

GitHub has been actively investigating the attack campaign around stolen OAuth tokens, of which @npmjs was a victim organization. Today we’re sharing our final impact analysis for npm as well as additional findings. github.blog/2022-05-26-npm…

🔒 an enhanced npm 2FA experience is now available in public beta. it includes: * support for physical security keys and biometric devices * support for multiple second factors * a new 2FA configuration menu and more! github.blog/2022-05-10-enh…

🚀 Our CLI team just shipped their weekly release! 📦 npm@8.9.0 makes `npm owner` workspace-aware & also comes with some docs, deps & core updates/fixes. ⬇️ Get it now: $ npm install -g npm See more in the changelog: github.com/npm/cli/releas…

A new @npmjs cli release is out! 🚀 📦 npm@8.8.0 adds a new `--install-links` option to opt into packing+install dependencies defined using the `file:` protocol instead of symlinking. ⬇️ Get it now: $ npm install -g npm See more in the changelog: github.com/npm/cli/releas…

we've got a jam packed Open RFC call today w/ some exciting topics like: v9 roadmap, `npm query` + dependency selector syntax, command-specific configuration & more... come join us live at 2pm EST: github.com/npm/rfcs/issue… #npm #nodejs #javascript

It's npm cli release day again! 🎉 🚀 npm@8.4.1 - fixes `npm ci` lock file validation - fixes parsing aliases in `npm outdated` - And more! ⬇️ Get it now: npm install -g npm See more in the changelog: github.com/npm/cli/releas…

exciting open rfc meeting planned today at 11am pt / 2pm et; we've got a full agenda including new rfcs for package distributions & ux changes to clean up deprecation warnings: github.com/npm/rfcs/issue… 🎙 come join the discussion or watch live on youtube youtube.com/channel/UCK71W…

today we enrolled all maintainers of the top-100 npm packages in mandatory 2FA. read more about it on our blog: github.blog/2022-02-01-top…

a quick reminder that, on Tuesday, February 1, maintainers of the top-100 packages on the npm registry will be enrolled in mandatory 2FA

continuing our commitment to npm security with the introduction of new enhanced login verification and timeline for two-factor authentication enforcement github.blog/2021-12-07-enr…

we hope to see you at our weekly open rfc meeting today! check out what's on the agenda and how to join ⬇️ github.com/npm/rfcs/issue…

we just shipped a number of security-focused improvements to npm including: - naming access tokens - enforcing 2FA in your npm orgs - improved auditing for 2FA adoption in orgs - selecting teams when adding new org members read more in our Changelog ⬇️ github.blog/changelog/2022…

open rfc meeting is on for today and we've got a full agenda! we'll see you at 11am pt / 2pm et 🕚 github.com/npm/rfcs/issue…