New features also include ability to connect social media accounts

GitHub has announced three enhancements to JavaScript package manager NPM which aim to improve its security and manageability.

A new CLI command has been introduced to verify the integrity of packages in NPM, replacing the current, more cumbersome, multi-step PGP process, which is now set to expire early next year.

“Recently, we began work to re-sign all NPM packages with new signatures relying on the secure ECDSA algorithm and using an HSM for key management, and you can now rely on this signature to verify the integrity of the packages you install from NPM,” writes Myles Borins and Monish Mohan, product managers at GitHub and NPM, respectively, in a blog post.

“We have introduced a new audit signatures command in NPM CLI version 8.13.0 and above.”

Social connections

Also new is the ability to connect GitHub and Twitter accounts to NPM. While developers were already able to include their GitHub and Twitter handles, this was until now a free-form text field that wasn’t validated or verified.

Now, accounts can be linked via official integrations with both GitHub and Twitter, making account recovery easier and laying the foundation for automated identity verification as part of account recovery.

Finally, following mixed feedback on the recent announcement of enhancements to make two-factor authentication (2FA) adoption easier for developers, there are new moves to streamline the login and publishing experience, available in NPM 8.15.0.


Read more of the latest security news about open source software


Login and publish authentication will now be managed in the browser – login can use an existing session, only prompting for the second factor or email verification OTP to create a new session.

Meanwhile, publish now supports ‘remember me for five minutes’, allowing for subsequent publishes from the same IP + access token to take place without the 2FA prompt for a five-minute period. This is especially useful when publishing from a NPM workspace, says GitHub.

These features are currently opt-in, but will become the default experience in NPM 9.

“Our primary goal continues to be protecting the NPM registry, and our next major milestone will be enforcing 2FA for all high-impact accounts, those that manage packages with more than one million weekly downloads or 500 dependents, tripling the number of accounts we will require to adopt a second factor,” write Borins and Mohan.

“Prior to this enforcement we will be making even more improvements to our account recovery process, including introducing additional forms of identity verification and automating as much of the process as possible.”


YOU MAY ALSO LIKE Open-Xchange issues fixes for RCE, SSRF bugs in OX App Suite