Today, we’re excited to announce that, in collaboration with GitHub’s token scanning partnership program, we’ve taken our existing token revocation efforts a step further. Whenever you commit or push a change to GitHub in a public repository and an npm token is found in the change, it is sent to npm for validation. If it’s valid, we will revoke it and notify the maintainer of this action via email.
“Security is all about defense-in-depth; we’re very excited to have npm join us in the token scanning partnership program because it’s one of the best ways we can protect our mutual customers from account hijack and malware in software dependencies,” said Justin Hutchings, Senior Product Manager - Security at GitHub.
How you can keep your account and packages safe
First, you can enable 2-Factor Authentication for your account. This means that when you log into the website or publish a package using a token that was setup for ‘auth and publish’, a second factor is required to permit this action.
Second, if you maintain a package with multiple maintainers, you can require that 2FA be enabled to publish a package.
Finally, you can take steps to make sure you don’t accidentally publish sensitive configuration files by adding those sensitive files to your .gitignore and by using the files feature of package.json. This feature allows you to create a list of files you want to include in the published package.
About the npm Security Team