Engineering Bringing npm registry services to GitHub Codespaces The npm engineering team recently transitioned to using GitHub Codespaces for local development for npm registry services. This shift to Codespaces has substantially reduced the friction of our inner development loop and boosted developer productivity.
Security Dependabot relieves alert fatigue from npm devDependencies A new alert rules engine for Dependabot leverages alert metadata to identify and auto-dismiss up to 15% of alerts as false positives.
Security Introducing npm package provenance How to verifiably link npm packages to their source repository and build instructions.
Security Unlocking security updates for transitive dependencies with npm How Dependabot integrated with npm to address security vulnerabilities on transitive dependencies and increase the likelihood of success for JavaScript security updates by 40%.
News & insights New npm features for secure publishing and safe consumption Now you can create tokens with fine-grained permissions for automating your publishing and organization management workflows. And a new code explorer allows you to view content of a package directly in the npm portal.
Security Why we’re excited about the Sigstore general availability The Sigstore GA means you can protect your software supply chain today with GitHub Actions, and will power new npm security capabilities in the near future.
Security New request for comments on improving npm security with Sigstore is now open Supply chain attacks exploit our implicit trust of open source to hurt developers and our customers. Read our proposal for how npm will significantly reduce supply chain attacks by signing packages with Sigstore.
News & insights Introducing even more security enhancements to npm New npm security enhancements include an improved login and publish experience with the npm CLI, connected GitHub and Twitter accounts, and a new CLI command to verify the integrity of packages in npm.
Company news npm security update: Attack campaign using stolen OAuth tokens npm’s impact analysis of the attack campaign using stolen OAuth tokens and additional findings.
News & insights Enhanced 2FA experience for your npm account Late last year, in response to an unprecedented series of account takeovers resulting from the compromise of developer accounts without 2FA enabled, we committed to a variety of enhancements to…
Company news Software security starts with the developer: Securing developer accounts with 2FA GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.
Company news Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. Read on to learn more about the impact to GitHub, npm, and our users.
Open Source Release Radar · March 2022 Edition Each month, we highlight open source projects that have shipped major updates. These include everything from world-changing technology to developer tooling, and weekend projects. Here are our top staff picks…
Open Source Release Radar · February 2022 Edition Our community has shipped lots of open source project updates in the last month. Here’s a few of our staff picks.
Security Top-100 npm package maintainers now require 2FA, and additional security-focused improvements to npm Starting today, we are rolling out mandatory 2FA to all maintainers of top-100 npm packages by dependents.