Npm security update: All packages re-signed, get used to ‘npm audit signatures’

The npm package repository, operated by Microsoft’s GitHub, has had all packages re-signed with the ECDS (Elliptic Curve Digital Signature) Algorithm, which means a new “audit signatures” command in the npm CLI (command-line interface) should be reliable for use in test and deployment scripts.

In addition, publishers have a new login option managed in the browser, currently opt-in but to the default in npm 9, the next major update. And, there is a new mechanism for connecting GitHub and Twitter accounts to npm which is verified in order to make it suitable for account recovery.

Developers download over 5 billion packages from npm every day according to the post from GitHub’s Myles Borins, staff product manager, and Monish Mohan, senior product manager. Protecting the software supply chain from vulnerable or hijacked packages has been identified by the security community as among the most critical but difficult tasks for developers and operations teams.

“We periodically see incidents on the registry where npm accounts are compromised by malicious actors and then used to insert malicious code into popular packages to which these accounts have access. Examples include the recent takeovers of the ua-parser-js, coa, and rc packages,” said GitHub’s Mike Hanley, Chief Security Officer and SVP of Engineering in November last year.

There are two sides to this, the first being to protect the registry from such incidents, for which requiring two-factor authentication (2FA) from publishers is a critical part of the solution. This is the reason for the work on 2FA in the new release.

One of the issues is that while 2FA is fine for things like users logging onto a web site, it can be awkward in scripts that are part of automated solutions, including those which deploy packages to npm. This is the reason for tweaks like “publish now supports ‘remember me for 5 minutes’ and allows for subsequent publishes from the same IP + access token to avoid the 2FA prompt for a 5-minute period,” which is new in npm version 8.15 released this week.

GitHub has said that all users who contribute code will be required to enable 2FA by the end of 2023. The maintainers of the top 500 packages are already enrolled in mandatory 2FA.

The other side is for developers themselves to take steps to verify the authenticity of packages. Verifying packages signed with PGP (Pretty Good Privacy) was a multi-step process but the new signatures can be easily verified simply by typing npm audit-signatures.