We are excited to announce two new features for a safer npm package ecosystem experience: granular access tokens and the npm code explorer.
Stolen credentials are one of the main causes of data breaches. Safeguarding credentials can be a challenging task and the supply chain impact of a compromised token with broad permissions can be severe. To help npm maintainers more effectively manage their risk exposure to token compromise, we are introducing a granular access token type for npm. This new token allows npm package maintainers and org owners to create fine-grained access tokens.
For consumers of npm packages, we are introducing a new code explorer. Today, developers must download an
npm package to inspect its contents. While performing an
npm install to inspect and verify package contents is straightforward, it is not guaranteed to be a secure operation. The installed package may contain malicious or otherwise detrimental code which can be deployed on your system through, for example, malicious install scripts.
With the npm code explorer, you can now view the contents of a package directly from the npm portal. This enables you to scrutinize the package before using it. Also, the code explorer was previously a paid feature, but it is now updated and available publicly for free!
Granular access tokens help publishers create tokens with limited access
npm has supported automation tokens for quite some time. Automation tokens allow you to publish to any packages that the owner of the token has permission to. Until now, it was not possible to create tokens with a least privilege model—to limit the impact of an accidental or deliberate misuse of the token. The new granular access tokens will allow you to do exactly this. You can now create tokens that can publish only to a limited set of packages and/or scopes.
Prior to granular access tokens, npm organization owners were limited in their ability to automate the management of their organization, team, and its members. Organization owners were dependent on publish tokens to integrate their npm automations. Publish tokens are intended for interactive workflows, such as the npm CLI, and using them in automation was not recommended and often not feasible because of 2FA requirements.
Granular access tokens will allow npm organization owners to automate org management. You can now create tokens to manage one or more organizations, their teams, and members.
Granular access tokens also let you limit npm API access based on allowed IP ranges and come with an expiration period of up to one year. Since less than 10% of the tokens in npm are being regularly used, this leaves a lot of npm tokens unnecessarily active, which increases the potential for such a long-lived token to eventually be compromised. Regularly rotating tokens and aggressively limiting their expirations to the minimum requirement significantly reduces the number of attack vectors on your npm organization.
Read more about granular access tokens from our documentation here.
Code explorer gives visibility into the contents of a package directly from the npm portal
Code explorer was a paid feature and available for teams and pro users for several years now. We are happy to make a new and improved code explorer available publicly for free. The updated code explorer is more stable, faster, and works for almost all packages in the npm registry. We wanted to make this awesome feature available for all developers so that they can inspect the package before installing it. It provides syntax highlighting for .js, .ts, .md, .json, .css and other popular languages/markups used in npm packages. You can also view content of any prior version of a package. We have internally been using code explorer since past few months to inspect packages reported as malicious.
If you’re using code explorer, we’d love to hear your feedback in our dedicated discussion.
An update on 2FA adoption
In addition to these two new features, npm has continued its commitment to improving the security of the npm ecosystem and as of November 1, 2022, we have begun enrolling all maintainers of high-impact packages into mandatory 2FA for their accounts. High‐impact packages are packages with more than 1 million weekly downloads and/or have more than 500+ dependents.