npm, Inc. Adds Enterprise-Grade Security to World’s Largest Software Registry

New Features Include Two-Factor Authentication and Read-Only Authentication Tokens

VANCOUVER, British Columbia--()--Today at Node.js Interactive North America, npm, Inc., which runs the world’s largest software registry and maintains the npm software package management application, announced new enterprise-grade security features for users of npm and the npm Registry: two-factor authentication for publishing packages and read-only authentication tokens.

With more than 550,000 packages for mobile, IoT, front end, back end and robotics, npm is the first software registry to provide two-factor authentication for publishers, making it even safer for the 8.8 million developers and hundreds of thousands of companies who download over three billion npm packages per week.

New features that help teams to discover, share and reuse code with confidence include:

  • Two-factor authentication (2FA): offers an additional layer of protection for developers, as a third party cannot gain access to their npm account by guessing or stealing their password; also provides assurance to all users of the Registry that packages they depend upon are only updated by their publishers.
  • Read-only authentication tokens: can be used to read private npm code, but not to write changes to the code; can also be restricted to work from only specific IP addresses. Companies that run a Continuous Integration/Continuous Deployment (CI/CD) workflow gain an extra degree of security: even if their CI/CD tools’ credentials are compromised, they cannot be used by third parties to access or alter their code.

npm, Inc. Chief Technology Officer CJ Silverio will discuss these and other security-related technologies in a Node.js Interactive presentation on Keeping JavaScript Safe: Security & the npm Registry, today at 11am PDT in West Ballroom A.

“More developers and companies than ever before use npm to manage code for every type of project. There has never been an incident in which anyone exploited a vulnerability to steal user credentials, but our work to improve security is never done,” said Silverio. “Developers and companies depend on us to add new, stronger barriers to protect the npm Registry and ensure the integrity of open source software so they can build amazing things.”

Two-factor authentication and read-only authentication tokens are the latest additions to npm’s secure software features which also include on-premises and single-tenant private registries for enterprises; proactive analysis of the registry by security researchers to detect malicious packages; integration with the Node Security Platform to alert developers to known vulnerabilities; and security audits, code reviews, and penetration tests by ^Lift Security.

“Our team is extremely excited for the increased security that two-factor authentication and read-only tokens bring to developing with npm,” said Adam Baldwin, founder and team lead of ^Lift Security and founder of the Node Security Platform. “Developers who choose to use 2FA get increased account security and set a precedence that they care about the integrity of their code. Using read-only tokens is a best practice for minimizing attack vectors and keeping private data secure.”

npm’s two-factor authentication and read-only authentication tokens are available immediately to all developers who update their npm application. They will also be included in the Node.js Foundation’s Long Term Support (LTS) distribution of Node.js v8.

“As large enterprises continue to invest in the Node.js ecosystem, security and stability remain two of their top priorities,” said Mark Hinkle, executive director of the Node.js Foundation. “npm’s encouraging work ensures the security and stability of the Node.js and JavaScript package ecosystem.”

To see a demo of npm’s new security features, visit booth S3 at Node.js Interactive. To learn more, visit: blog.npmjs.org.

About npm, Inc.

npm, Inc., founded in Oakland, California, in 2014 by Isaac Z. Schlueter and Laurie Voss, maintains the npm package manager for JavaScript and hosts the world’s largest software registry. Created in 2009 as an open-source package manager for Node.js, npm has been embraced by millions of developers worldwide for client- and server-side applications as diverse as IoT, mobile development, financial services and aerospace. More than 100,000 companies, including BBC, DocuSign, Electronic Arts, Hyperloop One, Juniper Networks, Nvidia, Slack and Visa, rely on npm’s products and services to reduce developer friction and build amazing things.

Contacts

FOLIO Communications Group LLC
Cybele Diamandopoulos, 512-535-4422
npminc@foliocom.com

Release Summary

npm, Inc. announces two-factor authentication and read-only authentication tokens for users of npm and the npm Registry.

Contacts

FOLIO Communications Group LLC
Cybele Diamandopoulos, 512-535-4422
npminc@foliocom.com