Skip to content

Security-focused improvements for npm

As part of our ongoing commitment to npm ecosystem security, and in advance of enforcing two-factor authentication for top packages maintainers, the npm team has been hard at work improving the experience of using 2FA and managing 2FA for organizations.

Customers who have enabled 2FA are likely to use automation tokens in their CI/CD infrastructure when automating tasks such as publishing a package. To make managing multiple tokens clearer, we now support naming tokens.

Similar to GitHub, it is now possible to enforce 2FA at the organization level on npm. On the members page of an organization, you can now click "Enable 2FA Enforcement" to enforce 2FA for all members of the organization. If current members do not have 2FA enabled, they will be removed when you confirm removal.

We have made it easier to audit adoption of 2FA in organizations as well. You can now see exactly which organization members have 2FA enabled already and filter the list to audit and prepare for enforcing 2FA in your org.

Finally, we've improved how members are added to organizations. Previously all members would be automatically added to the developers team. Now you can select a different team to add members to when you send them the invitation.

Git.io is a URL shortening website that GitHub created in 2011 for redirecting to GitHub domains like github.com and github.io. What began as an experiment was only lightly documented and thus not heavily used.

Today, git.io is increasingly being used for malicious purposes. At GitHub, we want to end that activity, focus on building great developer tools, and cede URL shortening to companies and teams who provide it as a core offering. There are many URL shortening services available today that have more capabilities than git.io.

For these reasons, we have disallowed new link creation on git.io. Existing URLs will continue to be accessible, but we encourage using one of the many URL shortening services that are available, instead of git.io, as we will be deprecating the tool in the future. This allows us to concentrate on what we’re able to make and keep great.

See more

Windows Server 2022 became generally available on GitHub-hosted runners in November 2021. Over the next 8 weeks, jobs using the windows-latest runner label will migrate from Windows Server 2019 to Windows Server 2022. During migration, you can determine if your job has migrated by viewing the Virtual Environment information in the Set up job step of your logs.

Use GitHub Actions to build your apps with the latest Visual Studio 2022 by updating your workflows to include runs-on: windows-latest

jobs:
  build:
    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-dotnet@v1
      - name: Build
        run: dotnet build
      - name: Run tests
        run: dotnet test

The Windows Server 2022 runner image has different tools and tool versions than Windows Server 2019. See the full list of changed software.

If you spot any issues with your workflows when using Windows Server 2022, please let us know by creating an issue in the virtual-environments repository.

See more