track direct and transitive dependencies for npm packages with GitHub’s dependency graph ⬇️ https://t.co/qpGGToVKFb

starting today, developers building npm projects on @GitHub Actions can request a provenance statement to be published alongside their package, giving consumers a verifiable way to link a package back to its source repository and build instructions. https://t.co/8zilYJz5Dc

Now you can create tokens with fine-grained permissions for automating your publishing and org management workflows. And a new code explorer allows you to view content of a package directly in the npm portal.

⚡️ #7: Use npm query and jq to dig into your dependencies https://t.co/PWfxmK21ja You can use the new "npm query" command and jq to answer interesting questions about your package's dependencies #terminalrocks

Today we opened an RFC with a proposal of how npm can collaborate with @projectsigstore to link packages to their source and build, a significant improvement to the supply chain security of the JavaScript ecosystem.

🚀 we just shipped npm v8.16.0 with the new `npm query` command 📦 this new feature allows developers to quickly ask & answer questions about their project's dependencies. you can learn more here: https://t.co/ZnAqV4x2Am ⬇️ to get it now, run: $ npm install -g npm

We've launched a number of security enhancements to npm including: * Improved login and publish experience /w CLI * Connecting GitHub + Twitter accounts * All packages have been resigned and a new command `npm audit signatures` Read more at:

do you publish from a npm workspace & use a root-level ignore file? if so, you should update to npm v8.11.0 or the latest versions of Node.js 16/17/18 to avoid a recently discovered vulnerability that wouldn't respect these files. read the advisory here:

GitHub has been actively investigating the attack campaign around stolen OAuth tokens, of which @npmjs was a victim organization. Today we’re sharing our final impact analysis for npm as well as additional findings.

🔒 an enhanced npm 2FA experience is now available in public beta. it includes: * support for physical security keys and biometric devices * support for multiple second factors * a new 2FA configuration menu and more! https://t.co/ZPtp0Gd2QU

🚀 Our CLI team just shipped their weekly release! 📦 npm@8.9.0 makes `npm owner` workspace-aware & also comes with some docs, deps & core updates/fixes. ⬇️ Get it now: $ npm install -g npm See more in the changelog: https://t.co/EuBNJ1VnYA

A new @npmjs cli release is out! 🚀 📦 npm@8.8.0 adds a new `--install-links` option to opt into packing+install dependencies defined using the `file:` protocol instead of symlinking. ⬇️ Get it now: $ npm install -g npm See more in the changelog:

we've got a jam packed Open RFC call today w/ some exciting topics like: v9 roadmap, `npm query` + dependency selector syntax, command-specific configuration & more... come join us live at 2pm EST: https://t.co/UFNKgH7qUt #npm #nodejs #javascript

It's npm cli release day again! 🎉 🚀 npm@8.4.1 - fixes `npm ci` lock file validation - fixes parsing aliases in `npm outdated` - And more! ⬇️ Get it now: npm install -g npm See more in the changelog:

exciting open rfc meeting planned today at 11am pt / 2pm et; we've got a full agenda including new rfcs for package distributions & ux changes to clean up deprecation warnings: https://t.co/yTVIrB9wlo 🎙 come join the discussion or watch live on youtube https://t.co/tegjwHbRe9

today we enrolled all maintainers of the top-100 npm packages in mandatory 2FA. read more about it on our blog:

a quick reminder that, on Tuesday, February 1, maintainers of the top-100 packages on the npm registry will be enrolled in mandatory 2FA

we hope to see you at our weekly open rfc meeting today! check out what's on the agenda and how to join ⬇️

we just shipped a number of security-focused improvements to npm including: - naming access tokens - enforcing 2FA in your npm orgs - improved auditing for 2FA adoption in orgs - selecting teams when adding new org members read more in our Changelog ⬇️

open rfc meeting is on for today and we've got a full agenda! we'll see you at 11am pt / 2pm et 🕚