NPM Releases New Security Features

| by David Iffland Follow 3 Followers on Oct 04, 2017. Estimated reading time: 1 minute |

A note to our readers: You asked so we have developed a set of features that allow you to reduce the noise: you can get email and web notifications for topics you are interested in. Learn more about our new features.

Today at the Node.js Interactive conference in Vancouver, BC, npm, Inc. announced the launch of new security features meant to keep the npm Registry more secure from attackers.

Given its widespread use and the way that JavaScript developers use npm packages for even the smallest purposes, the safety of the registry is of paramount concern. If an attacker were to gain access to the credentials of a heavily reference package, the damage could be widespread.

The new npm token CLI tool provides new ways to create tokens in a more secure manner. The ability to limit auth tokens becomes particularly useful in situations where the auth token is accidentally leaked. For example:

npm token create —cidr=[]

This will create a token that is only useable within a given IP range. In a situation where a token is leaked in source control or continuous integration logs, this token will only be useful within that IP range. If an attacker were to obtain the token, there would be limits to where it could be used.

Read-only tokens are now available as well:

npm token create —readonly

A token created this way will only be able to read the package, not publish.

Also new is the ability to protect a profile with two-factor authentication (2FA). Accounts can be hooked up with existing authentication apps such as Google Authenticator; text messages with SMS is not an option.

When 2FA is enabled in auth-and-writes mode, operations such as publishing a new version or changing the “latest” tag will require a one-time password from the authenticator. Below is a screenshot of what the process looks like when enabling 2FA.

Screenshot showing the process of enabling 2FA on an npm profile

Currently 2FA is enabled on a per-profile basis. This means that if a package has multiple maintainers, each one has to enable 2FA. In the near future, npm will offer the ability to require 2FA at the package level. Also, organizations using private repositories will be able to enable 2FA at the organization level.

According to npm CTO CJ Silverio, part of their goal is to make sure the registry is as secure as possible. “Npm wants to be so boring and reliable that you can thoughtlessly use npm multiple times per day” without worrying about the integrity of the registry, says Silverio.

Developers can use the new CLI tools with npm install -g npm@next.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Wrong tag by Martin Marchev

Why has that been tagged as Java post?

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you