Staged publishing and new install-time controls for NPM
NPM has introduced two significant updates aimed at enhancing supply-chain security. Staged publishing is now generally available, requiring maintainer approval before packages are installable. Additionally, new install source flags have been added to provide more control over dependency installations from various sources.
- ▪Staged publishing allows packages to be uploaded to a queue for maintainer approval before they become installable.
- ▪The new install source flags include --allow-file, --allow-remote, and --allow-directory, complementing the existing --allow-git flag.
- ▪NPM CLI version 11.15.0 or newer is required to utilize these new features.
Opening excerpt (first ~120 words) tap to expand
Back to changelog Release May 22, 2026 • 2 minute read Staged publishing and new install-time controls for npm Table of Contents Staged publishing is generally available New install source flags Join the discussion Menu. Currently selected: Staged publishing is generally available Staged publishing is generally available New install source flags Join the discussion Today we’re shipping two updates focused on supply-chain security for npm: Staged publishing is generally available. New --allow-* install source flags (--allow-file, --allow-remote, --allow-directory) complement the existing --allow-git flag. Both are available in npm CLI 11.15.0 or newer. Staged publishing is generally available Staged publishing is now generally available on npm.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at The GitHub Blog.
Discussion
0 commentsMore from The GitHub Blog
