GitHub Adds Staged Publishing to npm for Supply Chain Security

With staged publishing and new install-time controls now generally available, GitHub has rolled out a major security upgrade for the npm ecosystem. This enhancement aims to reduce automated supply chain attacks targeting open-source packages.

The newly released staged publishing feature changes how npm packages are published and distributed.

Instead of immediately making a package available after publishing, npm now places the prebuilt package tarball into a staging queue.

A human maintainer must explicitly approve the package before it becomes publicly installable.

GitHub Adds npm Staging

This approach introduces a critical security checkpoint, especially for automated CI/CD workflows that are often targeted in supply chain attacks.

Even if an attacker compromises a pipeline or injects malicious code, the package cannot be released without manual approval.

Key security benefits include:

• Mandatory human approval enforced with two-factor authentication (2FA).
• Visibility of staged packages through both npm CLI and npmjs.com.
• Protection against unauthorized or automated publishing attempts.
• Reinforced proof-of-presence for maintainers during release.

The feature is available starting with npm CLI version 11.15.0 and requires developers to switch from the traditional npm publish command to npm stage publish for staged workflows.

GitHub recommends combining staged publishing with trusted publishing using OpenID Connect (OIDC).

This setup allows CI/CD systems to publish packages directly into the staging queue without exposing long-lived credentials.

Organizations can enforce stage-only publishing policies, ensuring that:

• Direct npm publish commands are rejected.
• Only npm stage publish is allowed from CI pipelines.
• Final approval is completed by a maintainer on a trusted device.

This model significantly reduces the risk of credential theft and automated malicious releases.

In addition to staged publishing, GitHub has introduced new install-time security flags in npm 11.15.0.

These flags provide granular control over where dependencies can be installed from, helping prevent malicious or unexpected sources.

New flags include:

• –allow-file: Controls installations from local files or tarballs.
• –allow-remote: Restricts dependencies fetched from remote URLs.
• –allow-directory: Governs installs from local directories.
• –allow-git (existing): Controls installations from Git repositories.

Each flag supports two modes: all (default) or none, and can be configured via .npmrc or package.json.

These controls allow developers to implement strict allowlist policies, reducing the attack surface from non-registry sources often used in dependency confusion or injection attacks.

Security Impact

GitHub also confirmed that in npm CLI version 12, the default behavior for –allow-git will change from all to none, signaling a shift toward stricter default security settings.

Developers are encouraged to adopt these restrictions early by manually configuring the new flags.

For example, an organization can configure its environment to block all non-registry installs:

• Set –allow-remote=none
• Set –allow-file=none
• Set –allow-directory=none
• Allow only trusted registry packages

Combined with staged publishing, this creates a controlled pipeline where both package creation and consumption are tightly secured.

These updates directly address common supply chain attack vectors, including:

• Malicious code injection in CI/CD pipelines.
• Dependency confusion via external sources.
• Unauthorized package publishing.

By introducing human validation and stricter dependency controls, GitHub is moving npm toward a zero-trust supply chain model.

Organizations using npm are strongly advised to upgrade to npm CLI 11.15.0 or later and update their workflows to take full advantage of these new protections.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.