Skip to content

Update and Show Status of Dependabot Security Updates in API

You will now be able to see whether Dependabot security updates are enabled or disabled in the security and analysis block within the repository information you can fetch from the REST API, and enable or disable them via API requests.

For more information, you can check out our repository API documentation.

npm will now check the linked source commit and repository when you view a package's provenance information on If the linked source commit or repository cannot be found, an error displays at the top of the page and alongside the provenance information to let you know that provenance for this package can no longer be established. This can happen when a repository is deleted or made private.

Note: In future releases, publishing a public package with provenance from a private source repository will not be allowed.

Read more about viewing npm provenance and publishing with provenance.

See more

Today we are making further improvements to granular access tokens in npm.

Highlights of this update are

  • Custom Expiration Times: You can now create granular access tokens with custom expiration times, allowing for durations that span multiple years.
  • Increased Token Limit: We have expanded the maximum limit for granular access tokens creation to 1000. This enables maintainers with a large amount of packages to secure their publishing workflows more efficiently.

We recommend using granular access tokens with least privileges (for example one token per package) for automating your publishing and org management activities.

Read more about creating a granular access tokens here.

See more