To improve security in the software supply chain, GitHub has rolled out new controls in npm that allow maintainers to explicitly approve releases before a package is publicly available for installation.
This feature, called gradual rollout, is currently generally available on npm. A human maintainer is required to approve a package by passing a two-factor authentication (2FA) challenge before it is pushed to npmjs.[.]Com.
“Instead of direct publishing, which makes packaged versions immediately available to consumers, pre-built tarballs are uploaded to a stage queue and must be explicitly approved by the maintainer before they can be installed,” GitHub said.
The Microsoft-owned subsidiary said the change ensures “proof of existence” for all publishes, including non-interactive CI/CD workflows and publishes from trusted publishes using OpenID Connect (OIDC) authentication.
Before using staged publishing, package administrators must meet the following criteria:
You have public access to the package You cannot stage a new package because the package already exists in the npm registry 2FA is enabled for your account
Developers can submit packages to the staging area using the command ‘npm stage public’ from the root directory of the package. To use this command, you must update to npm CLI 11.15.0 or later. For optimal protection, GitHub recommends a combination of staged publishing and trusted publishing using OIDC.
The second npm-focused update involves the introduction of three new installation source flags in addition to the existing -allow-git flag.
–allow-file: Controls installation from local file paths and local tarballs –allow-remote: Controls installation from remote URLs, including https tarballs –allow-directory: Controls installation from local directories
This flag allows developers to “apply the same explicit allowlist approach to all non-registry installation sources,” GitHub says.
The development comes amid a massive surge in software supply chain attacks targeting open source ecosystems over the past few months, with one cybercrime group known as TeamPCP working to contaminate popular packages on an unprecedented scale through self-perpetuating compromise cycles.
Source link
