### Staged Publishing Now Generally Available **GitHub** has rolled out staged publishing, a new security feature for **npm** designed to enhance the security of the software supply chain. This feature grants maintainers the ability to explicitly approve a release before the packages are made publicly available for installation. Staged publishing is now generally available on **npm**. It mandates that a human maintainer pass a two-factor authentication (2FA) challenge to approve a package before it is pushed to npmjs[.]com. "Instead of a direct publish that immediately makes a package version available to consumers, the prebuilt tarball is uploaded to a stage queue where a maintainer must explicitly approve it before it becomes installable," **GitHub** said. The **Microsoft**-owned subsidiary stated that this change ensures "proof of presence" for every publish, including those originating from non-interactive CI/CD workflows and trusted publishing with OpenID Connect (OIDC) authentication. ### Prerequisites for Staged Publishing Before leveraging staged publishing, package maintainers must meet the following criteria: * Have publish access to the package. * The package must already exist on the **npm** registry; brand new packages cannot be staged. * 2FA must be enabled for the account. Developers can use the command `npm stage publish` from the root directory of the package to submit it to a staging area. To use this command, updating to **npm** CLI 11.15.0 or newer is essential. For optimal protection, **GitHub** recommends pairing staged publishing with trusted publishing using OIDC. ### Granular Install Source Flags A second update focused on **npm** introduces three new install source flags alongside the existing `-allow-git` flag: * `--allow-file`: Controls installs from local file paths and local tarballs. * `--allow-remote`: Controls installs from remote URLs, including https tarballs. * `--allow-directory`: Controls installs from local directories. These flags allow developers to "apply the same explicit-allowlist approach to every non-registry install source," according to **GitHub**. ### Addressing Supply Chain Attacks This development arrives amidst a surge in software supply chain attacks targeting open-source ecosystems. Recent activity, including the **TeamPCP** compromises, underscores the need for enhanced security measures within the **npm** ecosystem.