GitHub has added new security features to the JavaScript package manager npm: 2FA on the CLI, simple signature verification and verified account linking.
GitHub has announced three new functions for more security for the JavaScript package manager npm, which GitHub adopted in 2020. New is two-factor authentication from the command line, a simpler signature check without PGP and a verified check of GitHub and Twitter accounts with an npm account.
Two-factor authentication can be called from npm 8.14.0 with the command npm login --auth-type=web on. The standard browser opens and handles the login using a second factor, for example with a FIDO2 stick. For npm publish is working --auth-type Likewise. With this function, GitHub is preparing its big change for the end of 2023: Then all users who publish code will be obliged to use a second factor. Automated npm calls in scripts and CI/CD environments do not have to be activated with a second factor each time they are called. There are still access tokens for them, which you can generate as a double-authenticated user and assign specific rights to.
GitHub and Twitter verified
The second innovation sounds like a matter of course: If you want to store a Twitter or GitHub name in your npm profile, you now have to prove that you are logged in with this account as part of the link. According to GitHub, it was previously possible to type in data here without checking and thus pretend to be a well-known organization. Another advantage of linking: If you lose your access data for the npm account, linked accounts can be used for the recovery. Previously unverified information on GitHub and Twitter accounts is now removed from the profiles by npm.
ECDSA signatures
The command is also new npm audit signatures, which checks the integrity of npm packages. You can use it in CI/CD and also locally to find out whether a loaded package was subsequently manipulated. Not only the command is new, but also the procedure used. npm leaves the check with PGP behind and switches to the ECDSA procedure, which is based on elliptic curves, which means it can use shorter keys and work more efficiently. An advantage that should be noticeable in large projects with many dependencies: the check should be very quick.
GitHub has also announced its two-factor plan for the near future: In the next step, all npm packages with more than one million weekly downloads or 500 dependent packages will have a two-factor obligation. Before that, they want to optimize and automate the account recovery process.
