Published on Dec 08, 2022
NPM package maintainers can now restrict which packages, scopes, and organisations a token has access to with new granular access tokens.
To increase the safety and security of NPM JavaScript packages, GitHub is introducing granular access tokens to allow fine-grained permissions for NPM accounts, and providing free access to NPM code explorers.
GitHub explained on December 6 that stolen credentials are a major cause of data breaches. GitHub is introducing a granular access token type for NPM to assist NPM maintainers in managing their risk exposure. A granular access token enables NPM package maintainers to restrict which packages and scopes a token has access to, grant access to specific organisations, set the expiration date of the token, and limit access based on IP address ranges. There is also the option of selecting read-only or read-and-write access for users. An NPM account can contain up to 50 granular access tokens.
NPM organisation owners can also automate org management using granular access tokens. A token can be used to manage one or more organisations, members, or teams.
The tokens have an expiration date of one year. GitHub reported that fewer than 10% of tokens in NPM are used regularly, leaving many of these tokens inactive unnecessarily, increasing the risk of a long-lived token being compromised. The number of attack vectors can be reduced by rotating tokens regularly and limiting their expirations to the minimum requirements.
The NPM code explorer, on the other hand, allows developers to view the contents of a package directly within the NPM portal. As a result, packages can be scrutinised before being used. Formerly a paid feature, the code explorer is now publicly available for free and has been updated to improve speed and stability. According to GitHub, the code explorer is compatible with nearly all NPM packages.
NPM was acquired by GitHub, which is owned by Microsoft, in 2020. Every month, more than 200 billion NPM packages are downloaded.
