At Node.js Interactive North America, npm, Inc. announced new enterprise-grade security features for users of npm and the npm Registry: two-factor authentication for publishing packages and read-only authentication tokens.
With more than 550,000 packages for mobile, IoT, front end, back end and robotics, npm is the first software registry to provide two-factor authentication for publishers, making it even safer for the 8.8 million developers and hundreds of thousands of companies who download over three billion npm packages per week.
Key features
- Two-factor authentication (2FA): offers an additional layer of protection for developers, as a third party cannot gain access to their npm account by guessing or stealing their password; also provides assurance to all users of the Registry that packages they depend upon are only updated by their publishers.
- Read-only authentication tokens: can be used to read private npm code, but not to write changes to the code; can also be restricted to work from only specific IP addresses. Companies that run a
Continuous Integration/Continuous Deployment (CI/CD) workflow gain an extra degree of security: even if their CI/CD tools' credentials are compromised, they cannot be used by third parties to access or alter their code.
'More developers and companies than ever before use npm to manage code for every type of project. There has never been an incident in which anyone exploited a vulnerability to steal user credentials, but our work to improve security is never done,' said Silverio. 'Developers and companies depend on us to add new, stronger barriers to protect the npm Registry and ensure the integrity of open source software so they can build amazing things.'
Two-factor authentication and read-only authentication tokens are the latest additions to npm's software features which also include on-premises and single-tenant private registries
for enterprises; proactive analysis of the registry by security researchers to detect malicious packages; integration with the Node Security Platform to alert developers to known vulnerabilities; and security audits, code reviews, and penetration tests by ^Lift Security.
'Our team is extremely excited for the increased security that two-factor authentication and read-only tokens bring to developing with npm,' said Adam Baldwin, founder and team lead of ^Lift Security and founder of the Node Security Platform. 'Developers who choose to use 2FA get increased account security and set a precedence that they care about the integrity of their code. Using read-only tokens is a best practice for minimizing attack vectors and keeping private data secure.'
npm's two-factor authentication and read-only authentication tokens are available immediately to all developers who update their npm application. They will also be included in the Node.js Foundation's Long Term Support (LTS) distribution of Node.js v8.
'As large enterprises continue to invest in the Node.js ecosystem, security and stability remain two of their top priorities,' said Mark Hinkle, executive director of the Node.js Foundation. 'npm's encouraging work
ensures the security and stability of the Node.js and JavaScript package ecosystem.'