Today we’re shipping two updates focused on supply-chain security for npm: Staged publishing is generally available. New --allow-* install source flags (--allow-file, --allow-remote, --allow-directory) complement the existing --allow-git flag. Both…
Today we’re shipping two updates focused on supply-chain security for npm:
Staged publishing is generally available.
New --allow-* install source flags (--allow-file, --allow-remote, --allow-directory) complement the existing --allow-git flag.
Both are available in npm CLI 11.15.0 or newer.
Staged publishing is generally available
npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks
Npm registry sets stage for more secure package publishing
Hardening Your Node.js App Against Supply Chain & Remote Code Execution Attacks
npm supply chain: valid certificates, stolen accounts
Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack
npm Supply Chain Audit: The Checklist Most Teams Stop Too Early
Developer Workstations Are Now Part of the Software Supply Chain
Security Is Important. Automate It
New Shai-Hulud malware wave compromises 600 npm packages
GitHub links repo breach to TanStack npm supply-chain attack
GitHub added npm staged publishing with mandatory 2FA approval to reduce software supply chain attack risks.
All the world's a stage, and all the packages are merely players
Supply chain attacks on the npm ecosystem have quietly become one of the most effective ways...
Stolen credentials produced valid Sigstore certificates, clearing 633 malicious npm packages — one of seven developer tool attack…
TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious…
A fresh Mini Shai-Hulud supply chain attack has hit over 320 NPM packages, along with GitHub Actions and a VS Code extension.
