NPM, the popular JavaScript package manager, now allows developers to link their Twitter and GitHub accounts to the program as a recovery option.
The change was revealed on Tuesday, along with a slew of additional improvements to the GitHub-owned package manager’s security and usability.
GitHub said in a blog post that the improvements will make it simpler for users to safeguard their accounts while also simplifying certain security elements that users had found cumbersome.
“The JavaScript community downloads approximately 5 billion packages from npm every day,” stated GitHub product managers Myles Borins and Monish Mohan. “As stewards of the npm registry, it is critical that we continue to invest in changes that promote developer confidence and the registry’s overall security.”
GitHub also stated that the usage of two-factor authentication (2FA) for login and package publishing on NPM will be made simpler, in addition to the possibility to link Twitter and GitHub accounts as an authentication mechanism.
According to the blog post, NPM previously trialed the usage of improved 2FA logins in a public beta version, but after receiving community input, concluded that some features should be modified to be more user-friendly. This includes the addition of a “remember me for 5 minutes” option, allowing users who successfully authenticated to suppress 2FA prompts for a limited time.
The enhanced security features will be available in NPM 8.15.0, which will be published on July 26th, according to the article.
NPM has been targeted by a variety of malicious actors over the years as a key component of the open-source software ecosystem for the JavaScript programming language. One of the most common methods for attackers to get control of packages has been to purchase expired domains registered to package publishers and use them to set up email accounts that can be used to receive a password reset emails for the package. In light of this, expanding the usage of 2FA for entering into NPM accounts has the potential to significantly enhance security.
GitHub, NPM’s parent company, is also aiming to strengthen security on the bigger code-hosting platform: the firm said earlier this year that all users who contribute code will need to have some kind of 2FA enabled by the end of 2023.
