GitHub Introduces Staged Publishing for npm with 2FA Approval

GitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ability to explicitly approve a release prior to the packages becoming publicly available for installation. The feature, called staged publishing, is now generally available on npm. It mandates that a human maintainer pass a two‑factor authentication (2FA) challenge to approve the release. Staged publishing allows maintainers to review and approve each release before it is published, reducing the risk of malicious code being distributed. The new controls aim to strengthen the integrity of npm packages and protect developers from supply‑chain attacks. The feature is designed to be easy to enable for existing npm projects. Organizations should enable staged publishing to add an extra layer of security to their release process.