Deprecation notice for npm PGP signatures
In July 2022 the public npm registry migrated away from the existing PGP signatures to a new ECDSA signatures for signature verification. PGP based registry signatures will be deprecated on April 25th...
View ArticleClik here to view.
npm provenance public beta
npm packages built on a cloud CI/CD system (like GitHub Actions) can now publish with provenance, meaning the package has verifiable links back to its source code and build instructions. The cloud...
View Articlenpm packages are no longer signed with PGP signatures
In July 2022 the public npm registry migrated away from the existing PGP signatures to a new ECDSA signatures for signature verification. As of May 2nd 2023, npm packages are no longer signed with PGP...
View ArticleClik here to view.
Dependabot alerts now automatically dismiss false positives for npm (public...
Starting today, Dependabot will be able to auto-dismiss npm alerts that have limited impact (e.g. long-running tests) or are unlikely to be exploitable. With this ship, Dependabot will cut false...
View ArticleAccessibility improvements for npmjs.com
Many accessibility improvements have been deployed to npmjs.com. Highlights include: Site-wide improvements to color contrast, text resize, and support for users with low vision. Improvements that...
View ArticleImprovements to granular access tokens on npm
Today we are making further improvements to granular access tokens in npm. Highlights of this update are Custom Expiration Times: You can now create granular access tokens with custom expiration times,...
View ArticleWarn when the npm provenance source commit or repository cannot be found
npm will now check the linked source commit and repository when you view a package's provenance information on npmjs.com. If the linked source commit or repository cannot be found, an error displays at...
View ArticlePublishing with npm provenance from private source repositories is no longer...
Starting today, publishing with provenance is restricted to public source repositories only. Private source repositories are no longer supported for use with provenance for public packages. As...
View ArticleClik here to view.
npm provenance general availability
npm provenance is now generally available. npm packages built on a supported cloud CI/CD system can publish with provenance. Today this includes GitHub Actions and GitLab CI/CD. Publishing with...
View ArticleBlock npm package publishes when names and versions don’t match between...
On September 27, 2023, we began blocking npm package publishes with differing name or version fields between the manifest and tarball package.json. This blocking protects against obfuscation. The...
View Articlenpm feedback is now available on GitHub Community
npm feedback is now available on GitHub Community. Previously feedback for npm took place on the npm feedback channel, which is going to be sunset as we migrate unresolved discussions. External users...
View ArticleLeaner npm packument (metadata) contents
Starting today, the npm registry will begin removing README content from package version metadata to reduce the size of package packuments, and improve the performance of the registry and package...
View ArticleSunset Notice – npm Hooks API Endpoints
Starting today, we are deprecating npm hooks services and they might no longer be functional, including current hooks subscriptions. This deprecation includes npm hooks API Endpoints and its related...
View ArticleAnnouncing npm’s New Simplified Search Experience [GA]
Today, we’re excited to introduce a new, streamlined search experience on npmjs.com! This update provides clear, objective sorting options that make finding the right packages easier. The new search...
View ArticleChanges and deprecation notice for npm replication APIs
We are making changes to npm replication APIs to optimize performance and availability. As part of this update, certain endpoints will be deprecated as of Thursday, May 29, 2025. To facilitate a...
View ArticleClik here to view.
Easily distinguish between direct and transitive dependencies for npm packages
npm’s massive ecosystem of open source packages is one of its greatest strengths. But as a security-conscious developer, it can be tough to keep up with vulnerability reporting and updates once your...
View Article