GitHub has decided to stop supporting TLS 1.0 and 1.1 protocols in the NPM package repository and all sites associated with the NPM package manager, including npmjs.com. Starting October 4, connections to the repository, including installing packages, will require a client with at least TLS 1.2 support. On GitHub itself, support for TLS 1.0/1.1 was dropped back in February 2018. The motive is the concern for the security of their services and the privacy of user data. According to GitHub, about 99% of requests to the NPM repository are already made using TLS 1.2 or 1.3, and Node.js has included support for TLS 1.2 since 2013 (starting with release 0.10), so the change will affect only a small fraction of users.
Recall that the TLS 1.0 and 1.1 protocols have been officially transferred by the IETF (Internet Engineering Task Force) to the category of obsolete technologies. The TLS 1.0 specification was published in January 1999. Seven years later, the TLS 1.1 update was released with security improvements related to the generation of initialization vectors and incremental padding. Among the main problems of TLS 1.0 / 1.1 is the lack of support for modern ciphers (for example, ECDHE and AEAD) and the presence in the specification of a requirement to support old ciphers, the reliability of which is questioned at the present stage of development of computer technology (for example, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA support is required to check the integrity and authentication uses MD5 and SHA-1). Support for legacy algorithms has already led to attacks such as ROBOT, DROWN, BEAST, Logjam and FREAK. However, these problems were not directly protocol vulnerabilities and were closed at the level of its implementations. There are no critical vulnerabilities in the TLS 1.0/1.1 protocols themselves that can be used to carry out practical attacks.
Source: opennet.ru