diff --git a/content/cli/v11/commands/npm-access.mdx b/content/cli/v11/commands/npm-access.mdx index 654727214f0..a7d53b81c82 100644 --- a/content/cli/v11/commands/npm-access.mdx +++ b/content/cli/v11/commands/npm-access.mdx @@ -42,7 +42,7 @@ npm access list packages [||] [] npm access list collaborators [ []] npm access get status [] npm access set status=public|private [] -npm access set mfa=none|publish|automation [] +npm access set mfa=publish|automation [] npm access grant [] npm access revoke [] ``` diff --git a/content/cli/v11/commands/npm-publish.mdx b/content/cli/v11/commands/npm-publish.mdx index 2793abd2e7a..262be26985f 100644 --- a/content/cli/v11/commands/npm-publish.mdx +++ b/content/cli/v11/commands/npm-publish.mdx @@ -49,6 +49,17 @@ Publishes a package to the registry so that it can be installed by name. Publish the package in the current directory: + + +**Important:** Publishing to npm requires either: + +- Two-factor authentication (2FA) enabled on your account, OR +- A granular access token with bypass 2FA enabled + +For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification). + + + ```bash npm publish ``` diff --git a/content/getting-started/setting-up-your-npm-user-account/about-two-factor-authentication.mdx b/content/getting-started/setting-up-your-npm-user-account/about-two-factor-authentication.mdx index d4e0c6b7b94..e8aaafc8946 100644 --- a/content/getting-started/setting-up-your-npm-user-account/about-two-factor-authentication.mdx +++ b/content/getting-started/setting-up-your-npm-user-account/about-two-factor-authentication.mdx @@ -20,6 +20,17 @@ When you enable 2FA, you will be prompted for a second form of authentication be + + +**Important:** Publishing to npm requires either: + +- Two-factor authentication (2FA) enabled on your account, OR +- A granular access token with bypass 2FA enabled + +For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification). + + + ## Two-factor authentication on npm Two-factor authentication on npm can be enabled for authorization and writes, or authorization only. diff --git a/content/getting-started/setting-up-your-npm-user-account/configuring-two-factor-authentication.mdx b/content/getting-started/setting-up-your-npm-user-account/configuring-two-factor-authentication.mdx index f0950aafcaf..c7a31fda6eb 100644 --- a/content/getting-started/setting-up-your-npm-user-account/configuring-two-factor-authentication.mdx +++ b/content/getting-started/setting-up-your-npm-user-account/configuring-two-factor-authentication.mdx @@ -6,6 +6,17 @@ import shared from '~/shared.js' You can enable two-factor authentication (2FA) on your npm user account to protect against unauthorized access to your account and packages using a [security-key][webauthn]. + + +**Important:** Publishing to npm requires either: + +- Two-factor authentication (2FA) enabled on your account, OR +- A granular access token with bypass 2FA enabled + +For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification). + + + ## Prerequisites Before you enable 2FA on your npm user account, you must: @@ -54,34 +65,6 @@ For more information on supported 2FA methods, see "[About two-factor authentica 8. Click **Go back to settings** after confirming that you have saved your codes. -### Disabling 2FA for writes - -Check the [Authorization and writes][authorization-and-writes] section for more information on different operations that requires 2FA when this mode is enabled. - - - -**Note**: As a recommended setting, 2FA for write operations are _automatically enabled_ when setting up 2FA. The following steps explain how to disable it. - - - -1. <>{shared['user-login'].text} - - <>{shared['user-login'].image} - -2. <>{shared['account-settings'].text} - - <>{shared['account-settings'].image} - -3. On the account settings page, under "Two-Factor Authentication", click **Modify 2FA**. - - - -4. From the "Manage Two-Factor Authentication" navigate to "Additional Options" section - -5. Clear the checkbox for "Require two-factor authentication for write actions" and click "Update Preferences" - - - ### Disabling 2FA If you have 2FA enabled, you can remove it from your account settings page. @@ -193,6 +176,7 @@ The Twitter or GitHub account is now linked to your npm account. To remove the l [can-i-use]: https://caniuse.com/#search=webauthn [viewing-and-regenerating-recovery-code]: /recovering-your-2fa-enabled-account#viewing-and-regenerating-recovery-code [webauthn]: https://webauthn.guide/ +[creating-token]: /creating-and-viewing-access-tokens [u2f]: https://en.wikipedia.org/wiki/Universal_2nd_Factor [windows-hello]: https://support.microsoft.com/en-us/windows/learn-about-windows-hello-and-set-it-up-dae28983-8242-bb2a-d3d1-87c9d265a5f0 [touch-id]: https://support.apple.com/en-gb/HT204587 diff --git a/content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx b/content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx index ccfdcc87c57..6654a7ad35a 100644 --- a/content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx +++ b/content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx @@ -22,30 +22,11 @@ You can work with tokens from the web or the CLI, whichever is easiest. What you npm token commands let you: - View tokens for easier tracking and management -- Create new legacy tokens (deprecated) - Limit access according to IP address ranges (CIDR) - Delete/revoke tokens For more information on creating and viewing access tokens on the web and CLI, see "[Creating and viewing access tokens][create-token]". -## About legacy tokens (Deprecated) - - - -**Warning:** Legacy access tokens were removed on November 5, 2025. - - - -Legacy tokens are created with the same permissions as the user who created them. The npm CLI automatically generates and uses a publish token when you run `npm login`. - -There are three different types of legacy tokens: - -- **Read-only**: You can use these tokens to download packages from the registry. These tokens are best for automation and workflows where you are installing packages. For greater security, we recommend using [granular access tokens](#about-granular-access-tokens) instead. -- **Automation**: You can use these tokens to download packages and install new ones. These tokens are best for automation workflows where you are publishing new packages. Automation tokens do not require 2FA for executing operations on npm and are suitable for CI/CD workflows. For greater security, we recommend using [granular access tokens](#about-granular-access-tokens) instead. -- **Publish**: You can use these tokens to download packages, install packages, and update user and package settings. We recommend using them for interactive workflows such as a CLI. If 2FA is enabled on your account, publish tokens will require 2FA to execute sensitive operations on npm. - -Legacy tokens do not have an expiration date. It is important to be aware of your tokens and keep them protected for account security. For more information, see "[Securing your token][secure-token]." - ## About granular access tokens Granular access tokens allow you to restrict access provided to the token based on what you want to use the token for. With granular access tokens, you can: diff --git a/content/integrations/integrating-npm-with-external-services/using-private-packages-in-a-ci-cd-workflow.mdx b/content/integrations/integrating-npm-with-external-services/using-private-packages-in-a-ci-cd-workflow.mdx index 21639230c6f..06d75579fee 100644 --- a/content/integrations/integrating-npm-with-external-services/using-private-packages-in-a-ci-cd-workflow.mdx +++ b/content/integrations/integrating-npm-with-external-services/using-private-packages-in-a-ci-cd-workflow.mdx @@ -45,7 +45,7 @@ For more information on creating granular access tokens, including CIDR-whitelis For publishing packages in continuous deployment environments, we strongly recommend using [trusted publishing](/trusted-publishers) when available, as it provides enhanced security without requiring token management. -If trusted publishing is not available for your CI/CD provider, you can create a [granular access token with bypass 2FA enabled][create-token] on the website. This will allow you to publish even if you have two-factor authentication enabled on your account. +If trusted publishing is not available for your CI/CD provider, you must create a [granular access token with bypass 2FA enabled][create-token] on the website. This will allow you to publish in your CI/CD workflows even if you have two-factor authentication enabled on your account. diff --git a/content/organizations/creating-and-managing-organizations/requiring-two-factor-authentication-in-your-organization.mdx b/content/organizations/creating-and-managing-organizations/requiring-two-factor-authentication-in-your-organization.mdx index f299e6f313a..eb4dc724015 100644 --- a/content/organizations/creating-and-managing-organizations/requiring-two-factor-authentication-in-your-organization.mdx +++ b/content/organizations/creating-and-managing-organizations/requiring-two-factor-authentication-in-your-organization.mdx @@ -6,6 +6,17 @@ import shared from '~/shared.js' Organization owners can require organization members to enable two-factor authentication for their personal accounts, making it harder for malicious actors to access an organization's packages and settings. + + +**Important:** Publishing to npm requires either: + +- Two-factor authentication (2FA) enabled on your account, OR +- A granular access token with bypass 2FA enabled + +For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification). + + + ## About two-factor authentication for organizations Two-factor authentication (2FA) is an extra layer of security used when logging into websites or apps. You can require all members in your organization to enable two-factor authentication on npm. For more information about two-factor authentication, see ["Configuring two-factor authentication"][configure-2fa]. diff --git a/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-private-packages.mdx b/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-private-packages.mdx index ce872d89064..9c6de2e7447 100644 --- a/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-private-packages.mdx +++ b/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-private-packages.mdx @@ -81,6 +81,17 @@ npm install my-package By default, scoped packages are published with private visibility. + + +**Important:** Publishing to npm requires either: + +- Two-factor authentication (2FA) enabled on your account, OR +- A granular access token with bypass 2FA enabled + +For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification). + + + 1. On the command line, navigate to the root directory of your package. ``` @@ -109,3 +120,6 @@ For more information on the `publish` command, see the [CLI documentation][cli-p [cli-publish]: /cli/publish [reg-config]: configuring-your-registry-settings-as-an-npm-enterprise-user#using-npmrc-to-manage-multiple-profiles-for-different-registries [pii]: https://en.wikipedia.org/wiki/Personally_identifiable_information +[config-2fa]: /configuring-two-factor-authentication +[creating-token]: /creating-and-viewing-access-tokens +[requiring-2fa]: /requiring-2fa-for-package-publishing-and-settings-modification diff --git a/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-scoped-public-packages.mdx b/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-scoped-public-packages.mdx index 9ca51dd8892..8a46633c297 100644 --- a/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-scoped-public-packages.mdx +++ b/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-scoped-public-packages.mdx @@ -77,6 +77,17 @@ npm install /path/to/my-test-package By default, scoped packages are published with private visibility. To publish a scoped package with public visibility, use `npm publish --access public`. + + +**Important:** Publishing to npm requires either: + +- Two-factor authentication (2FA) enabled on your account, OR +- A granular access token with bypass 2FA enabled + +For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification). + + + 1. On the command line, navigate to the root directory of your package. ``` @@ -111,3 +122,6 @@ For more information on the `publish` command, see the [CLI documentation][cli-p [cli-publish]: /cli/publish [pii]: https://en.wikipedia.org/wiki/Personally_identifiable_information [provenance-how-to]: /generating-provenance-statements +[config-2fa]: /configuring-two-factor-authentication +[creating-token]: /creating-and-viewing-access-tokens +[requiring-2fa]: /requiring-2fa-for-package-publishing-and-settings-modification diff --git a/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-unscoped-public-packages.mdx b/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-unscoped-public-packages.mdx index 80fd70a7478..709d591f3b1 100644 --- a/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-unscoped-public-packages.mdx +++ b/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-unscoped-public-packages.mdx @@ -58,6 +58,17 @@ npm install path/to/my-package ## Publishing unscoped public packages + + +**Important:** Publishing to npm requires either: + +- Two-factor authentication (2FA) enabled on your account, OR +- A granular access token with bypass 2FA enabled + +For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification). + + + 1. On the command line, navigate to the root directory of your package. ``` @@ -89,3 +100,6 @@ For more information on the `publish` command, see the [CLI documentation][cli-p [cli-publish]: /cli/publish [pii]: https://en.wikipedia.org/wiki/Personally_identifiable_information [provenance-how-to]: /generating-provenance-statements +[config-2fa]: /configuring-two-factor-authentication +[creating-token]: /creating-and-viewing-access-tokens +[requiring-2fa]: /requiring-2fa-for-package-publishing-and-settings-modification diff --git a/content/packages-and-modules/contributing-packages-to-the-registry/creating-node-js-modules.mdx b/content/packages-and-modules/contributing-packages-to-the-registry/creating-node-js-modules.mdx index 4e1fd077806..4bf781f433e 100644 --- a/content/packages-and-modules/contributing-packages-to-the-registry/creating-node-js-modules.mdx +++ b/content/packages-and-modules/contributing-packages-to-the-registry/creating-node-js-modules.mdx @@ -36,8 +36,20 @@ exports.printMsg = function() { ## Test your module 1. Publish your package to npm: - - For [private packages][priv-pkg-pub] and [unscoped packages][unscoped-pkg-pub], use `npm publish`. - - For [scoped public packages][scoped-pkg-pub], use `npm publish --access public` + + + +**Important:** Publishing to npm requires either: + +- Two-factor authentication (2FA) enabled on your account, OR +- A granular access token with bypass 2FA enabled + +For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification). + + + +- For [private packages][priv-pkg-pub] and [unscoped packages][unscoped-pkg-pub], use `npm publish`. +- For [scoped public packages][scoped-pkg-pub], use `npm publish --access public` 2. On the command line, create a new test directory outside of your project directory. @@ -73,3 +85,5 @@ exports.printMsg = function() { [priv-pkg-pub]: creating-and-publishing-private-packages#publishing-private-packages [unscoped-pkg-pub]: creating-and-publishing-unscoped-public-packages#publishing-unscoped-public-packages [scoped-pkg-pub]: creating-and-publishing-scoped-public-packages#publishing-scoped-public-packages +[config-2fa]: /configuring-two-factor-authentication +[creating-token]: /creating-and-viewing-access-tokens diff --git a/content/packages-and-modules/securing-your-code/requiring-2fa-for-package-publishing-and-settings-modification.mdx b/content/packages-and-modules/securing-your-code/requiring-2fa-for-package-publishing-and-settings-modification.mdx index 4aee6a2788e..bb9618a4b10 100644 --- a/content/packages-and-modules/securing-your-code/requiring-2fa-for-package-publishing-and-settings-modification.mdx +++ b/content/packages-and-modules/securing-your-code/requiring-2fa-for-package-publishing-and-settings-modification.mdx @@ -4,9 +4,9 @@ title: Requiring 2FA for package publishing and settings modification import shared from '~/shared.js' -To protect your packages, as a package publisher, you can require everyone who has write access to a package to have two-factor authentication (2FA) enabled. This will require that users provide 2FA credentials in addition to their login token when they publish the package. For more information, see "[Configuring two-factor authentication][config-2fa]". +All packages now require two-factor authentication (2FA) or a [granular access tokens with bypass 2FA enabled][creating-granular-access-token] for creating and publishing packages. -You may also choose to allow publishing with either two-factor authentication _or_ with [granular access tokens with bypass 2FA enabled][creating-granular-access-token]. This lets you configure tokens in a CI/CD workflow, but requires two-factor authentication from interactive publishes. +Modifying a package's settings also requires two-factor authentication (2FA). For CI/CD workflows, consider using [trusted publishing](/trusted-publishers), which provides secure, token-free publishing that automatically enforces strong authentication without requiring manual token management. @@ -21,7 +21,7 @@ For CI/CD workflows, consider using [trusted publishing](/trusted-publishers), w -## Configuring two-factor authentication +## Configuring two-factor authentication on package settings 1. <>{shared['user-login'].text} @@ -34,18 +34,13 @@ For CI/CD workflows, consider using [trusted publishing](/trusted-publishers), w 4. Under "Publishing access", select the requirements to publish a package. - 1. **Dont require two-factor authentication** - With this option, a maintainer can publish a package or change the package settings whether they have two-factor authentication enabled or not. This is the least secure setting. - - 2. **Require two-factor authentication or granular access tokens** - With this option, maintainers must have two-factor authentication enabled for their account. If they publish a package interactively, using the `npm publish` command, they will be required to enter 2FA credentials when they perform the publish. However, maintainers may also create a [granular access token with bypass 2FA enabled][creating-granular-access-token] and use that to publish. A second factor is _not_ required when using these specific token types, making them useful for continuous integration and continuous deployment workflows. - - 3. **Require two-factor authentication and disallow tokens** - With this option, a maintainer must have two-factor authentication enabled for their account, and they must publish interactively. Maintainers will be required to enter 2FA credentials when they perform the publish. Granular access tokens cannot be used to publish packages, regardless of their bypass 2FA setting. + 1. **Require two-factor authentication or a granular access token with bypass 2fa enabled** (Default) + This is the default option for all new packages. With this option, maintainers must have two-factor authentication enabled for their account. If they publish a package interactively, using the `npm publish` command, they will be required to respond to a 2FA prompt when they perform the publish. However, maintainers may also create a [granular access token with bypass 2FA enabled][creating-granular-access-token] and use that for a non-interactive publish. + 2. **Require two-factor authentication and disallow tokens** (Recommended) With this option, a maintainer must have two-factor authentication enabled for their account, and they must publish interactively. Maintainers will be required to respond to a 2FA prompt when they perform the publish. Granular access tokens cannot be used to publish packages, regardless of their bypass 2FA setting. -5. Click **Update Package Settings**. +5 . Click **Update Package Settings**. [config-2fa]: configuring-two-factor-authentication [creating-granular-access-token]: creating-and-viewing-access-tokens#creating-granular-access-tokens-on-the-website diff --git a/static/packages-and-modules/securing-your-code/2fa-package-setting.png b/static/packages-and-modules/securing-your-code/2fa-package-setting.png index 72652569315..67c12d6f299 100644 Binary files a/static/packages-and-modules/securing-your-code/2fa-package-setting.png and b/static/packages-and-modules/securing-your-code/2fa-package-setting.png differ