npm ships staged publishing GA and new --allow-* install source flags for supply-chain security
By
brianmcnulty
9d ago· 3 min readenNews
85/100
Golden Brown
Bagelometer↗
If you only eat one bagel today, this is the bagel.
Score85TypenewsSentimentpositive
Summary
npm has released two supply-chain security updates in CLI version 11.15.0+: staged publishing is now generally available (allowing maintainers to approve package versions before they go live), and new --allow-* install source flags (--allow-file, --allow-remote, --allow-directory) have been added to complement the existing --allow-git flag, giving developers more granular control over where packages can be installed from.
Key quotes
· 3 pulledToday we're shipping two updates focused on supply-chain security for npm
Staged publishing is now generally available on npm.
Instead of a direct publish that immediately makes a package version available to consumers, the prebuilt tarball is uploaded to a stage queue where a maintainer must explicitly approve it before it become
Today we’re shipping two updates focused on supply-chain security for npm: Staged publishing is generally available. New --allow-* install source flags (--allow-file, --allow-remote, --allow-directory) complement the existing --allow-git flag. Both…
