GitHub Introduces Staged Publishing and Install-Time Controls for npm Supply Chain Security
Tags Enterprise · Security
GitHub shipped two npm supply chain security features: staged publishing (now generally available), which allows package authors to publish to a staging tag before promoting to latest, and new --allow-file, --allow-remote, and --allow-directory install-time flags that restrict which types of dependencies can be installed. These complement the existing --allow-git flag.
Technical significance
Staged publishing addresses a common npm antipattern where broken releases are immediately pushed to all consumers. The new allow flags give organizations granular control over dependency sources, directly responding to the 700+ repo supply chain attack discovered the same week — a clear indicator that platform operators are racing to harden package management against social engineering attacks.