GitHub has rolled out staged publishing for npm, a security-focused update requiring manual approval before package versions go live. This ensures every publish, even from automated CI/CD workflows, undergoes human verification via a 2FA-protected queue visible in the npm CLI and on npmjs.com. Staged publishing strengthens proof of presence by mandating approval from a maintainer, adding a critical layer against unauthorized or malicious releases. The feature is available immediately with npm CLI 11.15.0 or newer.

The update also introduces three new install-source flags: `--allow-file`, `--allow-remote`, and `--allow-directory`, complementing the existing `--allow-git` flag. These allow users to explicitly permit or block installations from local files, remote URLs, or directories—preventing unintended dependency pulls. Notably, `--allow-git` will default to 'none' in npm 12, making these new flags essential for stricter control. Developers can configure these in `.npmrc` or `package.json`, offering granular security tailored to workflows. This shift emphasizes proactive risk management, particularly for organizations handling sensitive dependencies.

The changes reflect a broader trend in npm security, where supply-chain threats demand rigorous oversight. By combining staged publishing with trusted publishing (OIDC), GitHub enables workflows where CI/CD pipelines handle non-interactive publishes to a staging queue, while human approvers finalize releases from secure devices. This balances automation with accountability. For teams already using trusted publishing, migration is straightforward via the Feb 2026 release. Adopting `npm stage publish` instead of `npm publish` in CI workflows is recommended. These updates underscore npm’s evolution toward supply-chain security, addressing vulnerabilities in dependency management through automation-aware, human-verified processes.