Security-focused improvements for npm

January 12, 2022

As part of our ongoing commitment to npm ecosystem security, and in advance of enforcing two-factor authentication for top packages maintainers, the npm team has been hard at work improving the experience of using 2FA and managing 2FA for organizations.

Customers who have enabled 2FA are likely to use automation tokens in their CI/CD infrastructure when automating tasks such as publishing a package. To make managing multiple tokens clearer, we now support naming tokens.

Similar to GitHub, it is now possible to enforce 2FA at the organization level on npm. On the members page of an organization, you can now click "Enable 2FA Enforcement" to enforce 2FA for all members of the organization. If current members do not have 2FA enabled, they will be removed when you confirm removal.

We have made it easier to audit adoption of 2FA in organizations as well. You can now see exactly which organization members have 2FA enabled already and filter the list to audit and prepare for enforcing 2FA in your org.

Finally, we've improved how members are added to organizations. Previously all members would be automatically added to the developers team. Now you can select a different team to add members to when you send them the invitation.