{"id":68998,"date":"2022-12-06T09:42:23","date_gmt":"2022-12-06T17:42:23","guid":{"rendered":"https:\/\/github.blog\/?p=68998"},"modified":"2022-12-06T09:42:23","modified_gmt":"2022-12-06T17:42:23","slug":"new-npm-features-for-secure-publishing-and-safe-consumption","status":"publish","type":"post","link":"https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/","title":{"rendered":"New npm features for secure publishing and safe consumption"},"content":{"rendered":"<p>We are excited to announce two new features for a safer npm package ecosystem experience: <a href=\"https:\/\/docs.npmjs.com\/about-access-tokens#about-granular-access-tokens\">granular access tokens<\/a> and the npm <a href=\"https:\/\/www.npmjs.com\/package\/npm?activeTab=explore\">code explorer<\/a>.<\/p>\n<p>Stolen credentials are one of the main causes of data breaches. Safeguarding credentials can be a challenging task and the supply chain impact of a compromised token with broad permissions can be severe. To help npm maintainers more effectively manage their risk exposure to token compromise, we are introducing a <strong>granular access token<\/strong> type for npm. This new token allows npm package maintainers and org owners to create fine-grained access tokens.<\/p>\n<p>For consumers of npm packages, we are introducing a new <strong>code explorer<\/strong>. Today, developers must download an <code>npm<\/code> package to inspect its contents. While performing an <code>npm install<\/code> to inspect and verify package contents is straightforward, it is not guaranteed to be a secure operation. The installed package may contain malicious or otherwise detrimental code which can be deployed on your system through, for example, malicious install scripts.<\/p>\n<p>With the npm code explorer, you can now view the contents of a package directly from the npm portal. This enables you to scrutinize the package before using it. Also, the code explorer was previously a paid feature, but it is now updated and available publicly for free!<\/p>\n<h2 id=\"granular-access-tokens-help-publishers-create-tokens-with-limited-access\"><a class=\"heading-link\" href=\"#granular-access-tokens-help-publishers-create-tokens-with-limited-access\">Granular access tokens help publishers create tokens with limited access<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<p>npm has supported <a href=\"https:\/\/github.blog\/changelog\/2020-10-02-npm-automation-tokens\/\">automation tokens<\/a> for quite some time. Automation tokens allow you to publish to any packages that the owner of the token has permission to. Until now, it was not possible to create tokens with a least privilege model\u2014to limit the impact of an accidental or deliberate misuse of the token. The new granular access tokens will allow you to do exactly this. You can now create tokens that can publish only to a limited set of packages and\/or scopes.<\/p>\n<p>Prior to granular access tokens, npm organization owners were limited in their ability to automate the management of their organization, team, and its members. Organization owners were dependent on publish tokens to integrate their npm automations. Publish tokens are intended for interactive workflows, such as the npm CLI, and using them in automation was not recommended and often not feasible because of 2FA requirements.<\/p>\n<p>Granular access tokens will allow npm organization owners to automate org management. You can now create tokens to manage one or more organizations, their teams, and members.<\/p>\n<p>Granular access tokens also let you limit npm API access based on allowed IP ranges and come with an expiration period of up to one year. Since less than 10% of the tokens in npm are being regularly used, this leaves a lot of npm tokens unnecessarily active, which increases the potential for such a long-lived token to eventually be compromised. Regularly rotating tokens and aggressively limiting their expirations to the minimum requirement significantly reduces the number of attack vectors on your npm organization.<\/p>\n<p>Read more about granular access tokens from our documentation <a href=\"https:\/\/docs.npmjs.com\/about-access-tokens\">here<\/a>.<\/p>\n<div style=\"width: 1092px;\" class=\"wp-video\"><video class=\"wp-video-shortcode\" id=\"video-68998-1\" width=\"1092\" height=\"720\" preload=\"metadata\" controls=\"controls\"><source type=\"video\/mp4\" src=\"https:\/\/github.blog\/wp-content\/uploads\/2022\/12\/gat-final-2.mp4#t=0.001?_=1\" \/><a href=\"https:\/\/github.blog\/wp-content\/uploads\/2022\/12\/gat-final-2.mp4#t=0.001\">https:\/\/github.blog\/wp-content\/uploads\/2022\/12\/gat-final-2.mp4#t=0.001<\/a><\/video><\/div>\n<h2 id=\"code-explorer-gives-visibility-into-the-contents-of-a-package-directly-from-the-npm-portal\"><a class=\"heading-link\" href=\"#code-explorer-gives-visibility-into-the-contents-of-a-package-directly-from-the-npm-portal\">Code explorer  gives visibility into the contents of a package directly from the npm portal<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<p>Code explorer was a paid feature and available for teams and pro users for several years now.  We are happy to make a new and improved code explorer available publicly for free. The updated code explorer is more stable, faster, and works for almost all packages in the npm registry. We wanted to make this awesome feature available for all developers so that they can inspect the package before installing it. It provides syntax highlighting for .js, .ts, .md, .json, .css and other popular languages\/markups used in npm packages. You can also view content of any prior version of a package. We have internally been using code explorer since past few months to inspect packages reported as malicious.<\/p>\n<div style=\"width: 1092px;\" class=\"wp-video\"><video class=\"wp-video-shortcode\" id=\"video-68998-2\" width=\"1092\" height=\"720\" preload=\"metadata\" controls=\"controls\"><source type=\"video\/mp4\" src=\"https:\/\/github.blog\/wp-content\/uploads\/2022\/12\/code-explorer-final-2.mp4#t=0.001?_=2\" \/><a href=\"https:\/\/github.blog\/wp-content\/uploads\/2022\/12\/code-explorer-final-2.mp4#t=0.001\">https:\/\/github.blog\/wp-content\/uploads\/2022\/12\/code-explorer-final-2.mp4#t=0.001<\/a><\/video><\/div>\n<p>If you\u2019re using code explorer, we\u2019d love to hear your feedback in our dedicated <a href=\"https:\/\/github.com\/npm\/feedback\/discussions\">discussion<\/a>.<\/p>\n<h2 id=\"an-update-on-2fa-adoption\"><a class=\"heading-link\" href=\"#an-update-on-2fa-adoption\">An update on 2FA adoption<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<p>In addition to these two new features, npm has continued its commitment to improving the security of the npm ecosystem and as of <a href=\"https:\/\/github.blog\/changelog\/2022-11-01-high-impact-package-maintainers-now-require-2fa\/\">November 1, 2022<\/a>, we have begun enrolling all maintainers of high-impact packages into mandatory 2FA for their accounts. High\u2010impact packages are packages with more than 1 million weekly downloads and\/or have more than 500+ dependents.<\/p>\n<p>This increased 2FA adoption will help strengthen the security of the npm JavaScript ecosystem by defending against account hijacking, which remains the number one source of security incidents. Over 200 billion packages are downloaded from npm every month, and these high impact packages account for 93% of the traffic. And, to ensure developers do not encounter additional friction under mandatory 2FA, we\u2019ve made <a href=\"https:\/\/github.blog\/2022-07-26-introducing-even-more-security-enhancements-to-npm\/\">a number of improvements<\/a> for an enhanced 2FA experience, including improved npm <a href=\"https:\/\/docs.npmjs.com\/recovering-your-2fa-enabled-account#misplaced-recovery-codes\">account recovery workflow<\/a>. You can now indicate additional sources of identity verification on your npm profile, such as linked <a href=\"https:\/\/docs.npmjs.com\/managing-your-profile-settings#linking-your-npm-and-github-accounts\">GitHub accounts and social media accounts<\/a>.<\/p>\n<p>We appreciate your hard work and enthusiasm in keeping the JavaScript ecosystem both thriving and secure, and we hope you enjoy these new features as we <a href=\"https:\/\/github.com\/orgs\/github\/projects\/4247\/views\/1?filterQuery=-status%3A%22Q4+2021+%E2%80%93+Oct-Dec%22%2C%22Q1+2022+%E2%80%93+Jan-Mar%22+npm\">continue to work<\/a> to improve the security of npm. If you have feedback, questions, suggestions, or concerns, <a href=\"https:\/\/github.com\/npm\/feedback\/discussions\">we\u2019d love to hear about it<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Now you can create tokens with fine-grained permissions for automating your publishing and organization management workflows. And a new code explorer allows you to view content of a package directly in the npm portal.<\/p>\n","protected":false},"author":2027,"featured_media":56251,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_gh_post_show_toc":"no","_gh_post_is_no_robots":"no","_gh_post_is_featured":"no","_gh_post_is_excluded":"no","_gh_post_is_unlisted":"no","_gh_post_related_link_1":"","_gh_post_related_link_2":"","_gh_post_related_link_3":"","_gh_post_sq_img":"https:\/\/github.blog\/wp-content\/uploads\/2022\/02\/npm-github_square.png","_gh_post_sq_img_id":"62790","_gh_post_cta_title":"","_gh_post_cta_text":"","_gh_post_cta_link":"","_gh_post_cta_button":"Click Here to Learn More","_gh_post_recirc_hide":"no","_gh_post_recirc_col_1":"gh-auto-select","_gh_post_recirc_col_2":"65301","_gh_post_recirc_col_3":"65308","_gh_post_recirc_col_4":"65316","_featured_video":"","_gh_post_additional_query_params":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_wpas_customize_per_network":false,"_links_to":"","_links_to_target":""},"categories":[3321,3325],"tags":[1640,2586],"coauthors":[2817],"class_list":["post-68998","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-insights","category-product-news","tag-npm","tag-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>New npm features for secure publishing and safe consumption - The GitHub Blog<\/title>\n<meta name=\"description\" content=\"Now you can create tokens with fine-grained permissions for automating your publishing and organization management workflows. And a new code explorer allows you to view content of a package directly in the npm portal.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New npm features for secure publishing and safe consumption\" \/>\n<meta property=\"og:description\" content=\"Now you can create tokens with fine-grained permissions for automating your publishing and organization management workflows. And a new code explorer allows you to view content of a package directly in the npm portal.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/\" \/>\n<meta property=\"og:site_name\" content=\"The GitHub Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-12-06T17:42:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/github.blog\/wp-content\/uploads\/2021\/02\/npm-github.png?fit=1200%2C630\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Monish Mohan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/github.blog\/wp-content\/uploads\/2021\/02\/npm-github.png?fit=1200%2C630\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Monish Mohan\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/product-news\\\/new-npm-features-for-secure-publishing-and-safe-consumption\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/product-news\\\/new-npm-features-for-secure-publishing-and-safe-consumption\\\/\"},\"author\":{\"name\":\"Monish Mohan\",\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/b654355fd9ef3be67d492d445fda0b18\"},\"headline\":\"New npm features for secure publishing and safe consumption\",\"datePublished\":\"2022-12-06T17:42:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/product-news\\\/new-npm-features-for-secure-publishing-and-safe-consumption\\\/\"},\"wordCount\":879,\"image\":{\"@id\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/product-news\\\/new-npm-features-for-secure-publishing-and-safe-consumption\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/npm-github.png?fit=1200%2C630\",\"keywords\":[\"npm\",\"Security\"],\"articleSection\":[\"News &amp; insights\",\"Product\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/product-news\\\/new-npm-features-for-secure-publishing-and-safe-consumption\\\/\",\"url\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/product-news\\\/new-npm-features-for-secure-publishing-and-safe-consumption\\\/\",\"name\":\"New npm features for secure publishing and safe consumption - The GitHub Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/product-news\\\/new-npm-features-for-secure-publishing-and-safe-consumption\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/product-news\\\/new-npm-features-for-secure-publishing-and-safe-consumption\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/npm-github.png?fit=1200%2C630\",\"datePublished\":\"2022-12-06T17:42:23+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/b654355fd9ef3be67d492d445fda0b18\"},\"description\":\"Now you can create tokens with fine-grained permissions for automating your publishing and organization management workflows. And a new code explorer allows you to view content of a package directly in the npm portal.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/product-news\\\/new-npm-features-for-secure-publishing-and-safe-consumption\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/github.blog\\\/news-insights\\\/product-news\\\/new-npm-features-for-secure-publishing-and-safe-consumption\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/product-news\\\/new-npm-features-for-secure-publishing-and-safe-consumption\\\/#primaryimage\",\"url\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/npm-github.png?fit=1200%2C630\",\"contentUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/npm-github.png?fit=1200%2C630\",\"width\":1200,\"height\":630},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/product-news\\\/new-npm-features-for-secure-publishing-and-safe-consumption\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/github.blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"News &amp; insights\",\"item\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Product\",\"item\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/product-news\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"New npm features for secure publishing and safe consumption\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/github.blog\\\/#website\",\"url\":\"https:\\\/\\\/github.blog\\\/\",\"name\":\"The GitHub Blog\",\"description\":\"Updates, ideas, and inspiration from GitHub to help developers build and design software.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/github.blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/b654355fd9ef3be67d492d445fda0b18\",\"name\":\"Monish Mohan\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/bfba285772a1e72cd10db5f50f7331968baaca60786aaaf0f24ddc70cd602d93?s=96&d=mm&r=gce7f856f17293c730fd457ddef5795b0\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/bfba285772a1e72cd10db5f50f7331968baaca60786aaaf0f24ddc70cd602d93?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/bfba285772a1e72cd10db5f50f7331968baaca60786aaaf0f24ddc70cd602d93?s=96&d=mm&r=g\",\"caption\":\"Monish Mohan\"},\"url\":\"https:\\\/\\\/github.blog\\\/author\\\/monishcm\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"New npm features for secure publishing and safe consumption - The GitHub Blog","description":"Now you can create tokens with fine-grained permissions for automating your publishing and organization management workflows. And a new code explorer allows you to view content of a package directly in the npm portal.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/","og_locale":"en_US","og_type":"article","og_title":"New npm features for secure publishing and safe consumption","og_description":"Now you can create tokens with fine-grained permissions for automating your publishing and organization management workflows. And a new code explorer allows you to view content of a package directly in the npm portal.","og_url":"https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/","og_site_name":"The GitHub Blog","article_published_time":"2022-12-06T17:42:23+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/github.blog\/wp-content\/uploads\/2021\/02\/npm-github.png?fit=1200%2C630","type":"image\/png"}],"author":"Monish Mohan","twitter_card":"summary_large_image","twitter_image":"https:\/\/github.blog\/wp-content\/uploads\/2021\/02\/npm-github.png?fit=1200%2C630","twitter_misc":{"Written by":"Monish Mohan","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/#article","isPartOf":{"@id":"https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/"},"author":{"name":"Monish Mohan","@id":"https:\/\/github.blog\/#\/schema\/person\/b654355fd9ef3be67d492d445fda0b18"},"headline":"New npm features for secure publishing and safe consumption","datePublished":"2022-12-06T17:42:23+00:00","mainEntityOfPage":{"@id":"https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/"},"wordCount":879,"image":{"@id":"https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/#primaryimage"},"thumbnailUrl":"https:\/\/github.blog\/wp-content\/uploads\/2021\/02\/npm-github.png?fit=1200%2C630","keywords":["npm","Security"],"articleSection":["News &amp; insights","Product"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/","url":"https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/","name":"New npm features for secure publishing and safe consumption - The GitHub Blog","isPartOf":{"@id":"https:\/\/github.blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/#primaryimage"},"image":{"@id":"https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/#primaryimage"},"thumbnailUrl":"https:\/\/github.blog\/wp-content\/uploads\/2021\/02\/npm-github.png?fit=1200%2C630","datePublished":"2022-12-06T17:42:23+00:00","author":{"@id":"https:\/\/github.blog\/#\/schema\/person\/b654355fd9ef3be67d492d445fda0b18"},"description":"Now you can create tokens with fine-grained permissions for automating your publishing and organization management workflows. And a new code explorer allows you to view content of a package directly in the npm portal.","breadcrumb":{"@id":"https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/#primaryimage","url":"https:\/\/github.blog\/wp-content\/uploads\/2021\/02\/npm-github.png?fit=1200%2C630","contentUrl":"https:\/\/github.blog\/wp-content\/uploads\/2021\/02\/npm-github.png?fit=1200%2C630","width":1200,"height":630},{"@type":"BreadcrumbList","@id":"https:\/\/github.blog\/news-insights\/product-news\/new-npm-features-for-secure-publishing-and-safe-consumption\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/github.blog\/"},{"@type":"ListItem","position":2,"name":"News &amp; insights","item":"https:\/\/github.blog\/news-insights\/"},{"@type":"ListItem","position":3,"name":"Product","item":"https:\/\/github.blog\/news-insights\/product-news\/"},{"@type":"ListItem","position":4,"name":"New npm features for secure publishing and safe consumption"}]},{"@type":"WebSite","@id":"https:\/\/github.blog\/#website","url":"https:\/\/github.blog\/","name":"The GitHub Blog","description":"Updates, ideas, and inspiration from GitHub to help developers build and design software.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/github.blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/github.blog\/#\/schema\/person\/b654355fd9ef3be67d492d445fda0b18","name":"Monish Mohan","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/bfba285772a1e72cd10db5f50f7331968baaca60786aaaf0f24ddc70cd602d93?s=96&d=mm&r=gce7f856f17293c730fd457ddef5795b0","url":"https:\/\/secure.gravatar.com\/avatar\/bfba285772a1e72cd10db5f50f7331968baaca60786aaaf0f24ddc70cd602d93?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/bfba285772a1e72cd10db5f50f7331968baaca60786aaaf0f24ddc70cd602d93?s=96&d=mm&r=g","caption":"Monish Mohan"},"url":"https:\/\/github.blog\/author\/monishcm\/"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/github.blog\/wp-content\/uploads\/2021\/02\/npm-github.png?fit=1200%2C630","jetpack_shortlink":"https:\/\/wp.me\/pamS32-hWS","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/68998","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/users\/2027"}],"replies":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/comments?post=68998"}],"version-history":[{"count":3,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/68998\/revisions"}],"predecessor-version":[{"id":69003,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/68998\/revisions\/69003"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media\/56251"}],"wp:attachment":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media?parent=68998"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/categories?post=68998"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/tags?post=68998"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/coauthors?post=68998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}