GitHub has released the NPM 8.15 package manager that comes with Node.js and is used to distribute JavaScript modules. It is noted that more than 5 billion packages are downloaded via NPM daily.
Key changes:
- A new "audit signatures" command has been added to perform a local audit of the integrity of installed packages, which does not require manipulations with PGP utilities. The new verification mechanism is based on the use of digital signatures based on the ECDSA algorithm and the use of HSM (Hardware Security Module) for key management. All packages in the NPM repository are already re-signed with the new scheme.
- Enhanced Two-Factor Authentication has been declared available for general use. Added a simplified login and publishing process to the npm CLI that works through the browser. When specifying the "--auth-type=web" option, the web interface opened in the browser is used to authenticate the account. Session parameters are remembered. To establish a session, you need to confirm your email using one-time passwords (OTP), and when performing operations in already established sessions, it is enough to confirm the second stage of two-factor authentication. A remember mode is provided, allowing for 5 minutes of publication operations from the same IP and the same token without additional two-factor authentication requests.
- Provided the ability to link GitHub and Twitter accounts to NPM, allowing you to connect to NPM using your GitHub and Twitter accounts.
Future plans include the inclusion of mandatory two-factor authentication for accounts associated with packages that have more than 1 million downloads per week or have more than 500 dependent packages. Currently, two-factor authentication is required only for the 500 most popular packages.
Source: opennet.ru