Microsoft-owned repository GitHub has responded to recent node package manager (npm) attacks such as the Shai-Hulud self-replicating worm , attempting to restore trust in the open-source ecosystem.

Senior director of security research Xavier René-Corail unveiled a roadmap for npm to secure the publication of packages.

Among the changes being implemented is two-factor authentication (2FA) being required for local publishing, and granular tokens that let developers restrict which packages and scopes the credentials have access to.

Granular tokens can also be restricted to specific organisations, have expiration dates, be limited to particular Internet Protocol ranges, and be set to read-only, or have read and write access.

The Trusted Publishing authentication method from the Python

See Full Page