npm

2/ Use npm Trusted Publishing to reduce reliance on such tokens. docs.npmjs.com/trusted-publis…

1/ To prevent supply chain attacks following the pattern of Mini Shai Hulud, we invalidated npm granular access tokens with write access that bypass 2FA. Update the stored token and rerun the workflow for your automations.

track direct and transitive dependencies for npm packages with GitHub’s dependency graph ⬇️ github.blog/changelog/2025…

starting today, developers building npm projects on @GitHub Actions can request a provenance statement to be published alongside their package, giving consumers a verifiable way to link a package back to its source repository and build instructions. github.blog/2023-04-19-int…

Now you can create tokens with fine-grained permissions for automating your publishing and org management workflows. And a new code explorer allows you to view content of a package directly in the npm portal. github.blog/2022-12-06-new…

⚡️ #7: Use npm query and jq to dig into your dependencies youtube.com/watch?v=h_Zpix… You can use the new "npm query" command and jq to answer interesting questions about your package's dependencies #terminalrocks

Today we opened an RFC with a proposal of how npm can collaborate with @projectsigstore to link packages to their source and build, a significant improvement to the supply chain security of the JavaScript ecosystem. github.blog/2022-08-08-new…

🚀 we just shipped npm v8.16.0 with the new `npm query` command 📦 this new feature allows developers to quickly ask & answer questions about their project's dependencies. you can learn more here: github.blog/changelog/2022… ⬇️ to get it now, run: $ npm install -g npm

We've launched a number of security enhancements to npm including: * Improved login and publish experience /w CLI * Connecting GitHub + Twitter accounts * All packages have been resigned and a new command `npm audit signatures` Read more at: github.blog/2022-07-26-int…

do you publish from a npm workspace & use a root-level ignore file? if so, you should update to npm v8.11.0 or the latest versions of Node.js 16/17/18 to avoid a recently discovered vulnerability that wouldn't respect these files. read the advisory here: github.co/3zebIPH

GitHub has been actively investigating the attack campaign around stolen OAuth tokens, of which @npmjs was a victim organization. Today we’re sharing our final impact analysis for npm as well as additional findings. github.blog/2022-05-26-npm…

🔒 an enhanced npm 2FA experience is now available in public beta. it includes: * support for physical security keys and biometric devices * support for multiple second factors * a new 2FA configuration menu and more! github.blog/2022-05-10-enh…

🚀 Our CLI team just shipped their weekly release! 📦 npm@8.9.0 makes `npm owner` workspace-aware & also comes with some docs, deps & core updates/fixes. ⬇️ Get it now: $ npm install -g npm See more in the changelog: github.com/npm/cli/releas…

A new @npmjs cli release is out! 🚀 📦 npm@8.8.0 adds a new `--install-links` option to opt into packing+install dependencies defined using the `file:` protocol instead of symlinking. ⬇️ Get it now: $ npm install -g npm See more in the changelog: github.com/npm/cli/releas…

we've got a jam packed Open RFC call today w/ some exciting topics like: v9 roadmap, `npm query` + dependency selector syntax, command-specific configuration & more... come join us live at 2pm EST: github.com/npm/rfcs/issue… #npm #nodejs #javascript

It's npm cli release day again! 🎉 🚀 npm@8.4.1 - fixes `npm ci` lock file validation - fixes parsing aliases in `npm outdated` - And more! ⬇️ Get it now: npm install -g npm See more in the changelog: github.com/npm/cli/releas…

exciting open rfc meeting planned today at 11am pt / 2pm et; we've got a full agenda including new rfcs for package distributions & ux changes to clean up deprecation warnings: github.com/npm/rfcs/issue… 🎙 come join the discussion or watch live on youtube youtube.com/channel/UCK71W…

today we enrolled all maintainers of the top-100 npm packages in mandatory 2FA. read more about it on our blog: github.blog/2022-02-01-top…

a quick reminder that, on Tuesday, February 1, maintainers of the top-100 packages on the npm registry will be enrolled in mandatory 2FA

continuing our commitment to npm security with the introduction of new enhanced login verification and timeline for two-factor authentication enforcement github.blog/2021-12-07-enr…

we hope to see you at our weekly open rfc meeting today! check out what's on the agenda and how to join ⬇️ github.com/npm/rfcs/issue…