Npm registry sets stage for more secure package publishing

AI + ML

All the world's a stage, and all the packages are merely players

GitHub's npm package registry has rolled out a publishing approval step to prevent the distribution of compromised packages before they can poison the software supply chain.Modern software development relies on imported bundles of code known as packages (and sometimes libraries or modules). In the past decade or so, miscreants have focused on gaining access to the accounts of package maintainers. Subverting a widely used package offers a fast track to malware distribution.Last December, amid the Shai-Hulud 2.0 campaign that compromised software packages, GitHub described a series of planned security measures intended to harden security for npm package publishers.

One of the measures, staged publishing, has now been implemented. GitHub on Wednesday merged npm stage into npm CLI (v11.15.0) and has updated the registry documentation that describes the process.

Staged publishing might also be called gated publishing – it requires a project maintainer to approve changes to a package that has been staged for release. It's been under discussion since 2020.

Npm registry sets stage for more secure package publishing

Other newsrooms on this story

Related reading

Developer Workstations Are Now Part of the Software Supply Chain

GitHub Worm Hits npm Packages With 16M Downloads

Mistral AI SDK, TanStack Router hit in npm software supply chain attack

New Shai-Hulud malware wave compromises 600 npm packages

Protect your enterprise now from the Shai-Hulud worm and npm vulnerability in 6…

Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware