GITHUB presented the release of the package manager npm 8.15 , which is included in the supply of node.js and used to spread the modules in JavaScript. It is noted that more than 5 billion packages are loaded daily through the NPM.
Key changes:
- added The new team “Audit Signatures” for a local audit of the integrity of the installed packages that does not require manipulations with PGP utilities. The new verification mechanism is based on the use of digital signatures based on the ECDSA algorithm and the use of hsm (Hardware Security Module) for managing the keys. All packages in the NPM repository are already re -signed using a new scheme.
- announced Available for the widespread for the widespread Application Extended two -factor authentication. A simplified process of entry and publication in the NPM CLI, working through the browser, has been added. When indicating the option “-ass-type = web” to authenticize the account, the Web interface opened in the browser is used. The parameters of the session are remembered. To install the session, it is required to confirm email using disposable passwords (OTP), and when performing operations in already installed sessions, it is enough to confirm the second stage of two -factor authentication. The memorization mode is provided, which allows for 5 minutes to perform publication operations with the same IP and with the same token without additional requests of two -factor authentication.
- provided Opportunity Bindings of GitHub and Twitter accounts to NPM, which allows you to connect to NPM using accounts in GitHub and Twitter.
From further plans, the inclusion of mandatory two -factor authentication for accounts related to packages, which number more than 1 million downloads per week or having more than 500 dependent packages, is mentioned. Currently, mandatory two -factor authentication is used only for 500 most popular packages.
/Media reports.