To protect your packages, as a package publisher, you can require everyone who has write access to a package to have two-factor authentication (2FA) enabled. This will require that users provide a one-time password in addition to their login token when they publish the package. For more information, see "Configuring two-factor authentication".
You may also choose to allow publishing with either two-factor authentication or with [automation tokens][creating-tokens]. This lets you configure automation tokens in a CI/CD workflow, but requires two-factor authentication from interactive publishes.
Navigate to the package on which you want to require a second factor to publish or modify settings.
Under "Publishing access", select the requirements to publish a package.
Two-factor authentication is not required
With this option, a maintainer can publish a package or change the package settings whether they have two-factor authentication enabled or not. This is the least secure setting.
Require two-factor authentication or automation tokens
With this option, maintainers must have two-factor authentication enabled for their account. If they publish a package interactively, using the
npm publish command, they will be required to enter a one-time passcode when they perform the publish. However, maintainers may also create an [automation token][creating-tokens] and use that to publish. A one-time passcode is not required when using an automation token, making it useful for continuous integration and continuous deployment workflows.
Two-factor authentication only
With this option, a maintainer must have two-factor authentication enabled for their account, and they must publish interactively. Maintainers will be required to enter a one-time passcode when they perform the publish.
Click Update Package Settings.
© npm, Inc. and Contributors
Licensed under the npm License.
npm is a trademark of npm, Inc.