NPM is planning to implement staged publishing, a new security feature designed to prevent supply chain attacks. This update will introduce a mandatory pause between the upload of a package and its public availability.
Key Features of Staged Publishing:
- Intermediate Review: New library versions will enter a “holding” stage before being released to the public.
- Explicit Approval: Maintainers must manually approve the release after the initial upload.
- MFA Requirement: Approval will require Multi-Factor Authentication (MFA) to ensure the person releasing the code is authorized.
Current Status: According to reports from Socket, several details remain unconfirmed. It is currently unclear if staged publishing will be mandatory for all packages or if it will be an opt-in feature. Additionally, NPM has not yet released an official implementation timeline.
Despite the lack of a release date, the move marks a significant step toward securing the JavaScript ecosystem by preventing malicious code from being instantly distributed via hijacked accounts.
