Sun. Aug 14th, 2022

Developers using NPM, the popular JavaScript package manager, can now link their Twitter and GitHub accounts to the software as a recovery method.

The move was announced Tuesday along with a handful of other features intended to combine enhanced security with usability for the package manager owned by GitHub.

In a blog post, GitHub said the changes would make it easier for users to secure their accounts, while also streamlining some security features that users had found inconvenient.

“The JavaScript community downloads more than 5 billion npm packages per day, and we at GitHub recognize how important it is that developers can do this with confidence,” wrote GitHub product managers Myles Borins and Monish Mohan. “As administrators of the npm registry, it is important that we continue to invest in improvements that increase developer confidence and the overall security of the registry itself.”

GitHub and Twitter accounts can now be used as NPM recovery options.
Image: GitHub/NPM

In addition to the ability to link Twitter and GitHub accounts as an authentication method, GitHub also announced that it would make it easier to use two-factor authentication (2FA) for logging in and publishing packages on NPM.

According to the blog post, NPM had previously tried using enhanced 2FA logins in a public beta, but after community feedback decided that certain features needed to be tweaked to be more user-friendly. This included adding a “remember me for 5 minutes” option so that users who successfully verified could disable 2FA prompts for a short period of time.

“Account security has been greatly improved by using 2FA, but if the experience adds too much friction, we can’t expect customers to start using it,” Borins and Mohan wrote. “Early adopters of our new 2FA experience shared feedback about the login and publishing process with the npm CLI, and we recognized there was room for improvement.”

The enhanced security features will be made available in NPM 8.15.0, released on July 26, the post said.

As a core part of the open-source software ecosystem for the JavaScript programming language, NPM has been targeted by a number of malicious actors over the years. One of the main strategies was for attackers to take control of packages by purchasing expired domains registered with package publishers and using them to set up email accounts that can be used to send reset emails. password to receive the package. In light of this, increasing the use of 2FA when logging into NPM accounts means major security improvements.

NPM’s parent company, GitHub, is also working to improve security on its larger code hosting platform: Earlier this year, the company announced that all users contributing code must have some form of 2FA enabled by the end of 2023.

Leave a Reply

Your email address will not be published.