Beta release of verifiable GitHub and Twitter account linking

You can now link your GitHub and Twitter accounts with your npm account using an official OAuth integration with these services. Prior to this, GitHub and Twitter account linking used a plain text field which was not verified or validated.

The new experience creates a verified link, making it possible for developers to audit identities and trust that an account is who they claim they are. Verified linking also significantly improves our ability to recover your npm account in case you are not able to login into anymore.

Legacy data will no longer be shown on public npm profiles, and the data can no longer be set via the npm CLI. Legacy data will still be retained in your private profile until a verified link has been made and can be used for account recovery purposes.

Learn more about GitHub and Twitter account linking from our documentation page: “managing user account profile settings from the web

General Availability of improved 2FA experience in npm

Enhanced Two-Factor Authentication (2FA) experience is now Generally Available. Previously, we had announced a set of improvements in our public beta. Further to this we have made the following new changes to streamline the CLI login experience.

  • As of npm 8.15.0 Login and Publish authentication from CLI can now be managed by the browser with the --auth-type=web flag.
  • Login can use an existing web session, only prompting for your second factor or email verification OTP to create a new CLI session.
  • Publish now supports “remember me for 5 minutes” and allows for subsequent publishes from the same IP + access token to avoid the 2FA prompt for a 5-minute period.
  • You can now use 2FA for re-verification requests while performing high privilege operations on npmjs.com.

Read more about two-factor authentication
 from our documentation.

See more

A new npm `audit signatures` command to verify npm package integrity

The public npm registry is migrating away from the existing PGP signatures to ECDSA signatures that are more compact and can be verified without extra dependencies in the npm CLI.

Ensure the integrity of packages you download from the public npm registry, or any registry that supports signatures, by verifying the registry signatures of downloaded packages using the following npm CLI command:

npm audit signatures

The CLI will error if some packages have missing or invalid signatures. This could indicate that those packages might have been tampered with.

Read more about this feature from our documentation: about registry signatures.

See more
View all changes