GitHub Adds Staged Publishing to npm to Block Automated Supply Chain Attacks
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
GitHub has introduced a major security upgrade to the npm ecosystem with the general availability of staged publishing and new install-time controls, aimed at reducing automated supply chain attacks targeting open-source packages.<\/a><\/p>\n The newly released staged publishing feature changes how npm packages are published and distributed.<\/p>\n Instead of immediately making a package available after publishing, npm now places the prebuilt package tarball into a staging queue.<\/p>\n A human maintainer must explicitly approve the package before it becomes publicly installable.<\/p>\n This approach introduces a critical security checkpoint, especially for automated CI\/CD workflows that are often targeted in supply chain attacks.<\/p>\n Even if an attacker compromises a pipeline or injects malicious code, the package cannot be released without manual approval.<\/p>\n Key security benefits include:<\/p>\n The feature is available starting with npm CLI version 11.15.0 and requires developers to switch from the traditional npm publish command to npm stage publish for staged workflows.<\/p>\n GitHub recommends combining staged publishing with trusted publishing using OpenID Connect (OIDC)<\/a>.<\/p>\n This setup allows CI\/CD systems to publish packages directly into the staging queue without exposing long-lived credentials.<\/p>\n Organizations can enforce stage-only publishing policies, ensuring that:<\/p>\n This model significantly reduces the risk of credential theft and automated malicious releases.<\/p>\n In addition to staged publishing, GitHub has introduced new install-time security flags in npm 11.15.0.<\/p>\n These flags provide granular control over where dependencies can be installed from, helping prevent malicious or unexpected sources.<\/p>\n New flags include:<\/strong><\/p>\n Each flag supports two modes: all (default) or none, and can be configured via .npmrc or package.json.<\/p>\n These controls allow developers to implement strict allowlist policies, reducing the attack surface from non-registry sources often used in dependency confusion or injection attacks.<\/p>\n GitHub also confirmed<\/a> that in npm CLI version 12, the default behavior for \u2013allow-git will change from all to none, signaling a shift toward stricter default security settings.<\/p>\n Developers are encouraged to adopt these restrictions early by manually configuring the new flags.<\/p>\n For example, an organization can configure its environment to block all non-registry installs:<\/p>\n Combined with staged publishing, this creates a controlled pipeline where both package creation and consumption are tightly secured.<\/p>\n These updates directly address common supply chain attack vectors, including:<\/p>\n By introducing human validation and stricter dependency controls, GitHub is moving npm toward a zero-trust supply chain model<\/a>.<\/p>\n Organizations using npm are strongly advised to upgrade to npm CLI 11.15.0 or later and update their workflows to take full advantage of these new protections.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post GitHub Adds Staged Publishing to npm to Block Automated Supply Chain Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nGitHub Adds npm Staging<\/strong><\/h2>\n
\n
\n
\n
Security Impact<\/strong><\/h2>\n
\n
\n