@npmjs profile picture
npm @npmjs
Joined June 2011
  • Tweets 4,706
  • Following 142
  • Followers 146,819
1,007 Photos and videos
npm@npmjs
May 20
1/ To prevent supply chain attacks following the pattern of Mini Shai Hulud, we invalidated npm granular access tokens with write access that bypass 2FA. Update the stored token and rerun the workflow for your automations.
58
194
1,536
265,230
npm@npmjs
May 20
2/ Use npm Trusted Publishing to reduce reliance on such tokens. docs.npmjs.com/trusted-publi…

Trusted publishing for npm packages | npm Docs

Documentation for the npm registry, website, and command-line interface

docs.npmjs.com
6
5
121
22,867
npm@npmjs
5 Mar 2025
track direct and transitive dependencies for npm packages with GitHub’s dependency graph ⬇️ github.blog/changelog/2025-0…

Easily distinguish between direct and transitive dependencies for npm packages - GitHub Changelog

npm’s massive ecosystem of open source packages is one of its greatest strengths. But as a security-conscious developer, it can be tough to keep up with vulnerability reporting and updates…

github.blog
22
10
61
47,258
npm@npmjs
19 Apr 2023
starting today, developers building npm projects on @GitHub Actions can request a provenance statement to be published alongside their package, giving consumers a verifiable way to link a package back to its source repository and build instructions. github.blog/2023-04-19-intro…

Introducing npm package provenance

How to verifiably link npm packages to their source repository and build instructions.

github.blog
14
74
259
136,055
npm@npmjs
7 Dec 2022
Now you can create tokens with fine-grained permissions for automating your publishing and org management workflows. And a new code explorer allows you to view content of a package directly in the npm portal. github.blog/2022-12-06-new-n…

New npm features for secure publishing and safe consumption

Now you can create tokens with fine-grained permissions for automating your publishing and organization management workflows. And a new code explorer allows you to view content of a package directly...

github.blog
3
11
43
npm retweeted
Elijah Manor@elijahmanor
5 Oct 2022
⚡️ #7: Use npm query and jq to dig into your dependencies youtube.com/watch?v=h_ZpixOg… You can use the new "npm query" command and jq to answer interesting questions about your package's dependencies #terminalrocks
8
17
46
npm@npmjs
8 Aug 2022
Today we opened an RFC with a proposal of how npm can collaborate with @projectsigstore to link packages to their source and build, a significant improvement to the supply chain security of the JavaScript ecosystem. github.blog/2022-08-08-new-r…

New request for comments on improving npm security with Sigstore is now open

Supply chain attacks exploit our implicit trust of open source to hurt developers and our customers. Read our proposal for how npm will significantly reduce supply chain attacks by signing packages...

github.blog
7
40
145
npm@npmjs
3 Aug 2022
🚀 we just shipped npm v8.16.0 with the new `npm query` command 📦 this new feature allows developers to quickly ask & answer questions about their project's dependencies. you can learn more here: github.blog/changelog/2022-0… ⬇️ to get it now, run: $ npm install -g npm

Introducing the new npm Dependency Selector Syntax - GitHub Changelog

npm query is a new top-level command as of npm v8.16.0 which accepts a Dependency Selector (as defined in the Dependency Selector Syntax Specification) & returns a filtered JSON Array/NodeList…

github.blog
4
29
77
npm@npmjs
26 Jul 2022
We've launched a number of security enhancements to npm including: * Improved login and publish experience /w CLI * Connecting GitHub Twitter accounts * All packages have been resigned and a new command `npm audit signatures` Read more at: github.blog/2022-07-26-intro…

Introducing even more security enhancements to npm

New npm security enhancements include an improved login and publish experience with the npm CLI, connected GitHub and Twitter accounts, and a new CLI command to verify the integrity of packages in...

github.blog
3
56
192
npm@npmjs
2 Jun 2022
do you publish from a npm workspace & use a root-level ignore file? if so, you should update to npm v8.11.0 or the latest versions of Node.js 16/17/18 to avoid a recently discovered vulnerability that wouldn't respect these files. read the advisory here: github.co/3zebIPH

Packing does not respect root-level ignore files in workspaces

### Impact `npm pack` ignores root-level `.gitignore` & `.npmignore` file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=`)...

github.com
4
24
43
npm retweeted
GitHub Security@GitHubSecurity
27 May 2022
GitHub has been actively investigating the attack campaign around stolen OAuth tokens, of which @npmjs was a victim organization. Today we’re sharing our final impact analysis for npm as well as additional findings. github.blog/2022-05-26-npm-s…

npm security update: Attack campaign using stolen OAuth tokens

npm's impact analysis of the attack campaign using stolen OAuth tokens and additional findings.

github.blog
GitHub Security@GitHubSecurity
15 Apr 2022
GitHub has uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI. Read more about the impact to GitHub, npm, and our users. github.blog/2022-04-15-secur…
2
98
192
npm@npmjs
10 May 2022
🔒 an enhanced npm 2FA experience is now available in public beta. it includes: * support for physical security keys and biometric devices * support for multiple second factors * a new 2FA configuration menu and more! github.blog/2022-05-10-enhan…

Enhanced 2FA experience for your npm account

Late last year, in response to an unprecedented series of account takeovers resulting from the compromise of developer accounts without 2FA enabled, we committed to a variety of enhancements to…

github.blog
2
35
60
npm@npmjs
4 May 2022
🚀 Our CLI team just shipped their weekly release! 📦 npm@8.9.0 makes `npm owner` workspace-aware & also comes with some docs, deps & core updates/fixes. ⬇️ Get it now: $ npm install -g npm See more in the changelog: github.com/npm/cli/releases/…

Release v8.9.0 · npm/cli

v8.9.0 (2022-05-04) Features 62af3a1 #4835 feat: make npm owner workspace aware (@wraithgar) Bug Fixes d654e7e #4781 fix: start consolidating color output (@wraithgar) b9a966c #4843 fix(exec): i...

github.com
8
24
npm retweeted
🦋 @ruyadorno.com@ruyadorno
27 Apr 2022
A new @npmjs cli release is out! 🚀 📦 npm@8.8.0 adds a new `--install-links` option to opt into packing install dependencies defined using the `file:` protocol instead of symlinking. ⬇️ Get it now: $ npm install -g npm See more in the changelog: github.com/npm/cli/releases/…

Release v8.8.0 · npm/cli

v8.8.0 (2022-04-27) Features bedd8a1 #4745 feat: add install-links config definition (@nlf) Bug Fixes 6253d19 #4643 fix(exec): workspaces support (@ruyadorno) e9163b4 #4657 fix(libnpmpublish): u...

github.com
1
8
21
npm@npmjs
6 Apr 2022
we've got a jam packed Open RFC call today w/ some exciting topics like: v9 roadmap, `npm query` dependency selector syntax, command-specific configuration & more... come join us live at 2pm EST: github.com/npm/rfcs/issues/5… #npm #nodejs #javascript

Open RFC Meeting - Wednesday, April 6, 2022, 2:00 PM EST · Issue #565 · npm/rfcs

Why? In our ongoing efforts to better listen to & collaborate with the community, we've started an Open RFC call that helps to move conversations & initiatives forward. When? Wednesday,...

github.com
2
8
17
npm retweeted
🦋 @ruyadorno.com@ruyadorno
3 Feb 2022
It's npm cli release day again! 🎉 🚀 npm@8.4.1 - fixes `npm ci` lock file validation - fixes parsing aliases in `npm outdated` - And more! ⬇️ Get it now: npm install -g npm See more in the changelog: github.com/npm/cli/releases/…

Release v8.4.1 · npm/cli

v8.4.1 (2022-02-03) Bug Fixes 1b9338554 #4359 fix(log): pass in logger to external modules (@wraithgar) 457e0ae61 #4363 fix(ci): lock file validation (@ruyadorno) c0519edc1 #4364 fix(ci): should n...

github.com
22
7
33
npm@npmjs
2 Feb 2022
exciting open rfc meeting planned today at 11am pt / 2pm et; we've got a full agenda including new rfcs for package distributions & ux changes to clean up deprecation warnings: github.com/npm/rfcs/issues/5… 🎙 come join the discussion or watch live on youtube youtube.com/channel/UCK71Wk0…

Open RFC Meeting - Wednesday, February 2, 2022, 2:00 PM EST · Issue #520 · npm/rfcs

Why? In our ongoing efforts to better listen to & collaborate with the community, we've started an Open RFC call that helps to move conversations & initiatives forward. When? Wednesday,...

github.com
12
4
11
npm@npmjs
1 Feb 2022
today we enrolled all maintainers of the top-100 npm packages in mandatory 2FA. read more about it on our blog: github.blog/2022-02-01-top-1…

Top-100 npm package maintainers now require 2FA, and additional security-focused improvements to npm

Starting today, all maintainers of top-100 npm packages, by dependents, will now be enrolled in mandatory 2FA for their accounts.

github.blog
7
34
198
npm@npmjs
7 Dec 2021
continuing our commitment to npm security with the introduction of new enhanced login verification and timeline for two-factor authentication enforcement github.blog/2021-12-07-enrol…

Enrolling all npm publishers in enhanced login verification and next steps for two-factor authent...

Today we're introducing enhanced login verification to the npm registry, and we will begin a staged rollout to maintainers beginning Dec 7.

github.blog
12
41
152
npm@npmjs
25 Jan 2022
a quick reminder that, on Tuesday, February 1, maintainers of the top-100 packages on the npm registry will be enrolled in mandatory 2FA
2
9
24
npm@npmjs
19 Jan 2022
we hope to see you at our weekly open rfc meeting today! check out what's on the agenda and how to join ⬇️ github.com/npm/rfcs/issues/5…

Open RFC Meeting - Wednesday, January 19, 2022, 2:00 PM EST · Issue #512 · npm/rfcs

Why? In our ongoing efforts to better listen to & collaborate with the community, we've started an Open RFC call that helps to move conversations & initiatives forward. When? Wednesday,...

github.com
2
2
6
Load more