
We updated our RSA SSH host key
At approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com.
February 1, 2022: We’ve updated this post to clarify our phased approach to rolling out 2FA enforcement on the npm registry.
In December, we announced that we were enrolling all npm publishers in enhanced login verification, and we shared ongoing investments we plan to make in the npm registry plus a timeline for rolling out enforced two-factor authentication (2FA) for high-impact packages, which are any packages with more than 1 million weekly downloads or 500 dependents.
Starting today, we are rolling out mandatory 2FA to our first cohort, all maintainers of top-100 npm packages by dependents. Maintainers who do not currently have 2FA enabled will have their web sessions revoked and will need to set up 2FA before they can take specific actions with their accounts, such as changing their email address or adding new maintainers to projects.
Our initial roll out of enhanced login verification occured between December 7, 2021 and January 4, 2022. Based on our findings from this initial phase, we are planning to enroll all npm accounts in enhanced login verification on March 1, 2022. We will be running two brown-out dates prior to launch on February 16 and February 23, where we will temporarily opt-in all accounts for a 24-hour period to ensure there are no surprises when we roll this out permanently for all customers. To learn more about enhanced login verification, you can visit our documentation.
In preparation to push for broader adoption of 2FA on npm, we have implemented and shipped a number of security-focused enhancements to improve the experience of using 2FA and managing 2FA for organizations.
developers
team. Now, you can select a different team to add members to when you send them the invitation.The next big technological investment for npm is implementing support for WebAuthn to allow maintainers to use and benefit from strong authentication provided by hardware keys and biometric devices. This is in addition to one-time password (OTP) authentication, which npm currently supports using a variety of available apps. We have a working prototype for registering and using security keys for 2FA for the npm website as well as the CLI. We’ve just finished working on the design for a refresh of our 2FA enrollment and management process and engineering work on the production implementation kicked off this week.
We are committed to improving the security of the JavaScript and broader open source supply chain. As we make progress on larger initiatives like WebAuth and enrolling all high-impact package maintainers in 2FA, we will continue to make smaller iterative improvements in the registry.
If you have any ideas about how we could improve the security of npm, please feel free to start a discussion on our public feedback repository or submit a proposal through our RFC process. If you haven’t yet enabled 2FA on your personal npm account, you can follow the instructions in our documentation to enroll today and take a step towards helping us secure the JavaScript software supply chain.