diff --git a/content/cli/v10/commands/npm-access.mdx b/content/cli/v10/commands/npm-access.mdx index 900fafb1772..34e44daa59d 100644 --- a/content/cli/v10/commands/npm-access.mdx +++ b/content/cli/v10/commands/npm-access.mdx @@ -26,7 +26,7 @@ npm access list packages [||] [] npm access list collaborators [ []] npm access get status [] npm access set status=public|private [] -npm access set mfa=none|publish|automation [] +npm access set mfa=publish|automation [] npm access grant [] npm access revoke [] ``` diff --git a/content/cli/v10/commands/npm-publish.mdx b/content/cli/v10/commands/npm-publish.mdx index 2b8a6d97205..98d743a753c 100644 --- a/content/cli/v10/commands/npm-publish.mdx +++ b/content/cli/v10/commands/npm-publish.mdx @@ -29,6 +29,16 @@ npm publish Publishes a package to the registry so that it can be installed by name. + + +**Important:** Publishing to npm requires either: +- Two-factor authentication (2FA) enabled on your account, OR +- A granular access token with bypass 2FA enabled (for CI/CD workflows) + +For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification). + + + By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v10/using-npm/scope) in the name, combined with a scope-configured registry (see [`package.json`](/cli/v10/configuring-npm/package-json)). A `package` is interpreted the same way as other commands (like `npm install`) and can be: @@ -111,6 +121,8 @@ This is a one-time password from a two-factor authenticator. It's needed when pu If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one. +**Note:** As an alternative to using 2FA with OTP, you can publish using a granular access token with bypass 2FA enabled. This is commonly used in CI/CD workflows where interactive authentication is not possible. + #### `workspace` - Default: diff --git a/content/cli/v11/commands/npm-access.mdx b/content/cli/v11/commands/npm-access.mdx index 654727214f0..a7d53b81c82 100644 --- a/content/cli/v11/commands/npm-access.mdx +++ b/content/cli/v11/commands/npm-access.mdx @@ -42,7 +42,7 @@ npm access list packages [||] [] npm access list collaborators [ []] npm access get status [] npm access set status=public|private [] -npm access set mfa=none|publish|automation [] +npm access set mfa=publish|automation [] npm access grant [] npm access revoke [] ``` diff --git a/content/cli/v11/commands/npm-publish.mdx b/content/cli/v11/commands/npm-publish.mdx index b06109a34d3..4da591c133e 100644 --- a/content/cli/v11/commands/npm-publish.mdx +++ b/content/cli/v11/commands/npm-publish.mdx @@ -45,6 +45,16 @@ npm publish Publishes a package to the registry so that it can be installed by name. + + +**Important:** Publishing to npm requires either: +- Two-factor authentication (2FA) enabled on your account, OR +- A granular access token with bypass 2FA enabled (for CI/CD workflows) + +For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification). + + + By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v11/using-npm/scope) in the name, combined with a scope-configured registry (see [`package.json`](/cli/v11/configuring-npm/package-json)). A `package` is interpreted the same way as other commands (like `npm install`) and can be: @@ -129,6 +139,8 @@ This is a one-time password from a two-factor authenticator. It's needed when pu If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one. +**Note:** As an alternative to using 2FA with OTP, you can publish using a granular access token with bypass 2FA enabled. This is commonly used in CI/CD workflows where interactive authentication is not possible. + #### `workspace` - Default: diff --git a/content/cli/v6/commands/npm-access.mdx b/content/cli/v6/commands/npm-access.mdx index 29c858614b5..29d705b4874 100644 --- a/content/cli/v6/commands/npm-access.mdx +++ b/content/cli/v6/commands/npm-access.mdx @@ -46,7 +46,7 @@ For all of the subcommands, `npm access` will perform actions on the packages in - grant / revoke: Add or remove the ability of users and teams to have read-only or read-write access to a package. -- 2fa-required / 2fa-not-required: Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account. +- 2fa-required / 2fa-not-required: Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account. All packages now require either two-factor authentication or a granular access token with bypass 2FA enabled by default. The "Don't require two-factor authentication" option has been removed from the web interface. - ls-packages: Show all of the packages a user or a team is able to access, along with the access level, except for read-only public packages (it won't print the whole registry listing) diff --git a/content/cli/v6/commands/npm-publish.mdx b/content/cli/v6/commands/npm-publish.mdx index 7d1fee0260b..711cd905457 100644 --- a/content/cli/v6/commands/npm-publish.mdx +++ b/content/cli/v6/commands/npm-publish.mdx @@ -32,6 +32,16 @@ Sets tag 'latest' if no --tag specified Publishes a package to the registry so that it can be installed by name. All files in the package directory are included if no local `.gitignore` or `.npmignore` file exists. If both files exist and a file is ignored by `.gitignore` but not by `.npmignore` then it will be included. See [`developers`](/cli/v6/using-npm/developers) for full details on what's included in the published package, as well as details on how the package is built. + + +**Important:** Publishing to npm requires either: +- Two-factor authentication (2FA) enabled on your account, OR +- A granular access token with bypass 2FA enabled (for CI/CD workflows) + +For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification). + + + By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v6/using-npm/scope) in the name (see [`package.json`](/cli/v6/configuring-npm/package-json)). - ``: A folder containing a package.json file diff --git a/content/cli/v7/commands/npm-access.mdx b/content/cli/v7/commands/npm-access.mdx index 6bb68d6862b..7a9f758de64 100644 --- a/content/cli/v7/commands/npm-access.mdx +++ b/content/cli/v7/commands/npm-access.mdx @@ -46,7 +46,7 @@ For all of the subcommands, `npm access` will perform actions on the packages in - grant / revoke: Add or remove the ability of users and teams to have read-only or read-write access to a package. -- 2fa-required / 2fa-not-required: Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account. +- 2fa-required / 2fa-not-required: Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account. All packages now require either two-factor authentication or a granular access token with bypass 2FA enabled by default. The "Don't require two-factor authentication" option has been removed from the web interface. - ls-packages: Show all of the packages a user or a team is able to access, along with the access level, except for read-only public packages (it won't print the whole registry listing) diff --git a/content/cli/v7/commands/npm-publish.mdx b/content/cli/v7/commands/npm-publish.mdx index fbf9e9a6d6d..a5723d8de60 100644 --- a/content/cli/v7/commands/npm-publish.mdx +++ b/content/cli/v7/commands/npm-publish.mdx @@ -32,6 +32,16 @@ Sets tag 'latest' if no --tag specified Publishes a package to the registry so that it can be installed by name. + + +**Important:** Publishing to npm requires either: +- Two-factor authentication (2FA) enabled on your account, OR +- A granular access token with bypass 2FA enabled (for CI/CD workflows) + +For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification). + + + By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v7/using-npm/scope) in the name (see [`package.json`](/cli/v7/configuring-npm/package-json)). - ``: A folder containing a package.json file @@ -116,6 +126,8 @@ This is a one-time password from a two-factor authenticator. It's needed when pu If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one. +**Note:** As an alternative to using 2FA with OTP, you can publish using a granular access token with bypass 2FA enabled. This is commonly used in CI/CD workflows where interactive authentication is not possible. + #### `workspace` - Default: diff --git a/content/cli/v8/commands/npm-access.mdx b/content/cli/v8/commands/npm-access.mdx index 62e95935b22..338f91a097d 100644 --- a/content/cli/v8/commands/npm-access.mdx +++ b/content/cli/v8/commands/npm-access.mdx @@ -43,8 +43,7 @@ For all of the subcommands, `npm access` will perform actions on the packages in - grant / revoke (deprecated): Add or remove the ability of users and teams to have read-only or read-write access to a package. -- 2fa-required / 2fa-not-required (deprecated): Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account. - +- 2fa-required / 2fa-not-required (deprecated): Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account. All packages now require either two-factor authentication or a granular access token with bypass 2FA enabled by default. The "Don't require two-factor authentication" option has been removed from the web interface. - ls-packages (deprecated): Show all of the packages a user or a team is able to access, along with the access level, except for read-only public packages (it won't print the whole registry listing) - ls-collaborators (deprecated): Show all of the access privileges for a package. Will only show permissions for packages to which you have at least read access. If `` is passed in, the list is filtered only to teams _that_ user happens to belong to. diff --git a/content/cli/v8/commands/npm-publish.mdx b/content/cli/v8/commands/npm-publish.mdx index 14df8a8c773..ef0d6eaaca4 100644 --- a/content/cli/v8/commands/npm-publish.mdx +++ b/content/cli/v8/commands/npm-publish.mdx @@ -29,6 +29,16 @@ npm publish Publishes a package to the registry so that it can be installed by name. + + +**Important:** Publishing to npm requires either: +- Two-factor authentication (2FA) enabled on your account, OR +- A granular access token with bypass 2FA enabled (for CI/CD workflows) + +For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification). + + + By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v8/using-npm/scope) in the name, combined with a scope-configured registry (see [`package.json`](/cli/v8/configuring-npm/package-json)). A `package` is interpreted the same way as other commands (like `npm install` and can be: @@ -107,6 +117,8 @@ This is a one-time password from a two-factor authenticator. It's needed when pu If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one. +**Note:** As an alternative to using 2FA with OTP, you can publish using a granular access token with bypass 2FA enabled. This is commonly used in CI/CD workflows where interactive authentication is not possible. + #### `workspace` - Default: diff --git a/content/cli/v9/commands/npm-access.mdx b/content/cli/v9/commands/npm-access.mdx index 094305dfe4d..54d64ca39a7 100644 --- a/content/cli/v9/commands/npm-access.mdx +++ b/content/cli/v9/commands/npm-access.mdx @@ -26,7 +26,7 @@ npm access list packages [|| [] npm access list collaborators [ []] npm access get status [] npm access set status=public|private [] -npm access set mfa=none|publish|automation [] +npm access set mfa=publish|automation [] npm access grant [] npm access revoke [] ``` @@ -43,7 +43,7 @@ For all of the subcommands, `npm access` will perform actions on the packages in - grant / revoke (deprecated): Add or remove the ability of users and teams to have read-only or read-write access to a package. -- 2fa-required / 2fa-not-required (deprecated): Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account. +- 2fa-required / 2fa-not-required (deprecated): Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account. All packages now require either two-factor authentication or a granular access token with bypass 2FA enabled by default. The "Don't require two-factor authentication" option has been removed from the web interface. - ls-packages (deprecated): Show all of the packages a user or a team is able to access, along with the access level, except for read-only public packages (it won't print the whole registry listing) diff --git a/content/cli/v9/commands/npm-publish.mdx b/content/cli/v9/commands/npm-publish.mdx index cbb21d30592..d6c88d1ff06 100644 --- a/content/cli/v9/commands/npm-publish.mdx +++ b/content/cli/v9/commands/npm-publish.mdx @@ -29,6 +29,16 @@ npm publish Publishes a package to the registry so that it can be installed by name. + + +**Important:** Publishing to npm requires either: +- Two-factor authentication (2FA) enabled on your account, OR +- A granular access token with bypass 2FA enabled (for CI/CD workflows) + +For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification). + + + By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v9/using-npm/scope) in the name, combined with a scope-configured registry (see [`package.json`](/cli/v9/configuring-npm/package-json)). A `package` is interpreted the same way as other commands (like `npm install` and can be: @@ -109,6 +119,8 @@ This is a one-time password from a two-factor authenticator. It's needed when pu If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one. +**Note:** As an alternative to using 2FA with OTP, you can publish using a granular access token with bypass 2FA enabled. This is commonly used in CI/CD workflows where interactive authentication is not possible. + #### `workspace` - Default: diff --git a/content/getting-started/setting-up-your-npm-user-account/about-two-factor-authentication.mdx b/content/getting-started/setting-up-your-npm-user-account/about-two-factor-authentication.mdx index d4e0c6b7b94..d6d302e084e 100644 --- a/content/getting-started/setting-up-your-npm-user-account/about-two-factor-authentication.mdx +++ b/content/getting-started/setting-up-your-npm-user-account/about-two-factor-authentication.mdx @@ -20,6 +20,16 @@ When you enable 2FA, you will be prompted for a second form of authentication be + + +**Important:** Publishing packages to npm now requires either: +- Two-factor authentication (2FA) enabled on your account, OR +- A [granular access token with bypass 2FA enabled][granular-tokens] (for CI/CD workflows) + +For more information, see "[Requiring 2FA for package publishing][pkg-2fa]." + + + ## Two-factor authentication on npm Two-factor authentication on npm can be enabled for authorization and writes, or authorization only. @@ -63,6 +73,7 @@ If you enable 2FA for authorization only. We will request a second form of authe [token-create]: https://docs.npmjs.com/cli/token [token-revoke]: https://docs.npmjs.com/cli/token [publish]: https://docs.npmjs.com/cli/publish +[granular-tokens]: /creating-and-viewing-access-tokens [unpublish]: https://docs.npmjs.com/cli/unpublish [deprecate]: https://docs.npmjs.com/cli/deprecate [access]: https://docs.npmjs.com/cli/access diff --git a/content/getting-started/setting-up-your-npm-user-account/configuring-two-factor-authentication.mdx b/content/getting-started/setting-up-your-npm-user-account/configuring-two-factor-authentication.mdx index f0950aafcaf..4ab400b7c35 100644 --- a/content/getting-started/setting-up-your-npm-user-account/configuring-two-factor-authentication.mdx +++ b/content/getting-started/setting-up-your-npm-user-account/configuring-two-factor-authentication.mdx @@ -6,6 +6,16 @@ import shared from '~/shared.js' You can enable two-factor authentication (2FA) on your npm user account to protect against unauthorized access to your account and packages using a [security-key][webauthn]. + + +**Important:** Publishing packages to npm now requires either: +- Two-factor authentication (2FA) enabled on your account, OR +- A [granular access token with bypass 2FA enabled][creating-token] (for CI/CD workflows) + +If you plan to publish packages, you must enable 2FA or use a bypass 2FA token. + + + ## Prerequisites Before you enable 2FA on your npm user account, you must: @@ -54,34 +64,6 @@ For more information on supported 2FA methods, see "[About two-factor authentica 8. Click **Go back to settings** after confirming that you have saved your codes. -### Disabling 2FA for writes - -Check the [Authorization and writes][authorization-and-writes] section for more information on different operations that requires 2FA when this mode is enabled. - - - -**Note**: As a recommended setting, 2FA for write operations are _automatically enabled_ when setting up 2FA. The following steps explain how to disable it. - - - -1. <>{shared['user-login'].text} - - <>{shared['user-login'].image} - -2. <>{shared['account-settings'].text} - - <>{shared['account-settings'].image} - -3. On the account settings page, under "Two-Factor Authentication", click **Modify 2FA**. - - - -4. From the "Manage Two-Factor Authentication" navigate to "Additional Options" section - -5. Clear the checkbox for "Require two-factor authentication for write actions" and click "Update Preferences" - - - ### Disabling 2FA If you have 2FA enabled, you can remove it from your account settings page. @@ -193,6 +175,7 @@ The Twitter or GitHub account is now linked to your npm account. To remove the l [can-i-use]: https://caniuse.com/#search=webauthn [viewing-and-regenerating-recovery-code]: /recovering-your-2fa-enabled-account#viewing-and-regenerating-recovery-code [webauthn]: https://webauthn.guide/ +[creating-token]: /creating-and-viewing-access-tokens [u2f]: https://en.wikipedia.org/wiki/Universal_2nd_Factor [windows-hello]: https://support.microsoft.com/en-us/windows/learn-about-windows-hello-and-set-it-up-dae28983-8242-bb2a-d3d1-87c9d265a5f0 [touch-id]: https://support.apple.com/en-gb/HT204587 diff --git a/content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx b/content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx index 561872712be..cd937a23cc5 100644 --- a/content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx +++ b/content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx @@ -22,30 +22,11 @@ You can work with tokens from the web or the CLI, whichever is easiest. What you npm token commands let you: - View tokens for easier tracking and management -- Create new legacy tokens (deprecated) - Limit access according to IP address ranges (CIDR) - Delete/revoke tokens For more information on creating and viewing access tokens on the web and CLI, see "[Creating and viewing access tokens][create-token]". -## About legacy tokens (Deprecated) - - - -**Warning:** Legacy access tokens were removed on November 5, 2025. - - - -Legacy tokens are created with the same permissions as the user who created them. The npm CLI automatically generates and uses a publish token when you run `npm login`. - -There are three different types of legacy tokens: - -- **Read-only**: You can use these tokens to download packages from the registry. These tokens are best for automation and workflows where you are installing packages. For greater security, we recommend using [granular access tokens](#about-granular-access-tokens) instead. -- **Automation**: You can use these tokens to download packages and install new ones. These tokens are best for automation workflows where you are publishing new packages. Automation tokens do not 2FA for executing operations on npm and are suitable for CI/CD workflows. For greater security, we recommend using [granular access tokens](#about-granular-access-tokens) instead. -- **Publish**: You can use these tokens to download packages, install packages, and update user and package settings. We recommend using them for interactive workflows such as a CLI. If 2FA is enabled on your account, publish tokens will require 2FA to execute sensitive operations on npm. - -Legacy tokens do not have an expiration date. It is important to be aware of your tokens and keep them protected for account security. For more information, see "[Securing your token][secure-token]." - ## About granular access tokens Granular access tokens allow you to restrict access provided to the token based on what you want to use the token for. With granular access tokens, you can: diff --git a/content/integrations/integrating-npm-with-external-services/creating-and-viewing-access-tokens.mdx b/content/integrations/integrating-npm-with-external-services/creating-and-viewing-access-tokens.mdx index 2af6ee2ab4f..2ff4ea1cc6e 100644 --- a/content/integrations/integrating-npm-with-external-services/creating-and-viewing-access-tokens.mdx +++ b/content/integrations/integrating-npm-with-external-services/creating-and-viewing-access-tokens.mdx @@ -25,6 +25,7 @@ You can [create](#creating-access-tokens) and [view](#viewing-access-tokens) acc 5. (Optional) Check the **Bypass two-factor authentication** checkbox if you want this token to bypass 2FA requirements for write actions. - This setting is unchecked (false) by default - By checking this box, the token will bypass 2FA for write actions even if 2FA is enabled at the account or package level + - **Note:** For publishing packages, you must have either 2FA enabled on your account OR use a token with bypass 2FA enabled. 6. In the **Expiration** field, enter a token expiration period. The date must be at least 1 day in the future. diff --git a/content/integrations/integrating-npm-with-external-services/using-private-packages-in-a-ci-cd-workflow.mdx b/content/integrations/integrating-npm-with-external-services/using-private-packages-in-a-ci-cd-workflow.mdx index 21639230c6f..06d75579fee 100644 --- a/content/integrations/integrating-npm-with-external-services/using-private-packages-in-a-ci-cd-workflow.mdx +++ b/content/integrations/integrating-npm-with-external-services/using-private-packages-in-a-ci-cd-workflow.mdx @@ -45,7 +45,7 @@ For more information on creating granular access tokens, including CIDR-whitelis For publishing packages in continuous deployment environments, we strongly recommend using [trusted publishing](/trusted-publishers) when available, as it provides enhanced security without requiring token management. -If trusted publishing is not available for your CI/CD provider, you can create a [granular access token with bypass 2FA enabled][create-token] on the website. This will allow you to publish even if you have two-factor authentication enabled on your account. +If trusted publishing is not available for your CI/CD provider, you must create a [granular access token with bypass 2FA enabled][create-token] on the website. This will allow you to publish in your CI/CD workflows even if you have two-factor authentication enabled on your account. diff --git a/content/organizations/creating-and-managing-organizations/requiring-two-factor-authentication-in-your-organization.mdx b/content/organizations/creating-and-managing-organizations/requiring-two-factor-authentication-in-your-organization.mdx index f299e6f313a..cca11cd3186 100644 --- a/content/organizations/creating-and-managing-organizations/requiring-two-factor-authentication-in-your-organization.mdx +++ b/content/organizations/creating-and-managing-organizations/requiring-two-factor-authentication-in-your-organization.mdx @@ -12,6 +12,12 @@ Two-factor authentication (2FA) is an extra layer of security used when logging +**Important:** Publishing packages to npm now requires authentication via either two-factor authentication enabled on your account, or a granular access token with bypass 2FA enabled. This requirement applies at the platform level for all packages by default, regardless of organization-level 2FA settings. + + + + + **Note:** - When you require use of two-factor authentication for your organization, members who do not use 2FA will be removed from the organization and lose access to its packages. You can add them back to the organization if they enable two-factor authentication. diff --git a/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-private-packages.mdx b/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-private-packages.mdx index ce872d89064..8f5070ba3ff 100644 --- a/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-private-packages.mdx +++ b/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-private-packages.mdx @@ -81,6 +81,16 @@ npm install my-package By default, scoped packages are published with private visibility. + + +**Important:** Before you can publish, you must have either: +- [Two-factor authentication (2FA)][config-2fa] enabled on your account, OR +- A [granular access token with bypass 2FA enabled][creating-token] (required for CI/CD workflows) + +For more information, see "[Requiring 2FA for package publishing][requiring-2fa]." + + + 1. On the command line, navigate to the root directory of your package. ``` @@ -109,3 +119,6 @@ For more information on the `publish` command, see the [CLI documentation][cli-p [cli-publish]: /cli/publish [reg-config]: configuring-your-registry-settings-as-an-npm-enterprise-user#using-npmrc-to-manage-multiple-profiles-for-different-registries [pii]: https://en.wikipedia.org/wiki/Personally_identifiable_information +[config-2fa]: /configuring-two-factor-authentication +[creating-token]: /creating-and-viewing-access-tokens +[requiring-2fa]: /requiring-2fa-for-package-publishing-and-settings-modification diff --git a/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-scoped-public-packages.mdx b/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-scoped-public-packages.mdx index 9ca51dd8892..1be8350c88d 100644 --- a/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-scoped-public-packages.mdx +++ b/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-scoped-public-packages.mdx @@ -77,6 +77,16 @@ npm install /path/to/my-test-package By default, scoped packages are published with private visibility. To publish a scoped package with public visibility, use `npm publish --access public`. + + +**Important:** Before you can publish, you must have either: +- [Two-factor authentication (2FA)][config-2fa] enabled on your account, OR +- A [granular access token with bypass 2FA enabled][creating-token] (required for CI/CD workflows) + +For more information, see "[Requiring 2FA for package publishing][requiring-2fa]." + + + 1. On the command line, navigate to the root directory of your package. ``` @@ -111,3 +121,6 @@ For more information on the `publish` command, see the [CLI documentation][cli-p [cli-publish]: /cli/publish [pii]: https://en.wikipedia.org/wiki/Personally_identifiable_information [provenance-how-to]: /generating-provenance-statements +[config-2fa]: /configuring-two-factor-authentication +[creating-token]: /creating-and-viewing-access-tokens +[requiring-2fa]: /requiring-2fa-for-package-publishing-and-settings-modification diff --git a/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-unscoped-public-packages.mdx b/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-unscoped-public-packages.mdx index 80fd70a7478..6eec443de89 100644 --- a/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-unscoped-public-packages.mdx +++ b/content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-unscoped-public-packages.mdx @@ -58,6 +58,16 @@ npm install path/to/my-package ## Publishing unscoped public packages + + +**Important:** Before you can publish, you must have either: +- [Two-factor authentication (2FA)][config-2fa] enabled on your account, OR +- A [granular access token with bypass 2FA enabled][creating-token] (required for CI/CD workflows) + +For more information, see "[Requiring 2FA for package publishing][requiring-2fa]." + + + 1. On the command line, navigate to the root directory of your package. ``` @@ -89,3 +99,6 @@ For more information on the `publish` command, see the [CLI documentation][cli-p [cli-publish]: /cli/publish [pii]: https://en.wikipedia.org/wiki/Personally_identifiable_information [provenance-how-to]: /generating-provenance-statements +[config-2fa]: /configuring-two-factor-authentication +[creating-token]: /creating-and-viewing-access-tokens +[requiring-2fa]: /requiring-2fa-for-package-publishing-and-settings-modification diff --git a/content/packages-and-modules/contributing-packages-to-the-registry/creating-node-js-modules.mdx b/content/packages-and-modules/contributing-packages-to-the-registry/creating-node-js-modules.mdx index 4e1fd077806..ab2a1aecb4f 100644 --- a/content/packages-and-modules/contributing-packages-to-the-registry/creating-node-js-modules.mdx +++ b/content/packages-and-modules/contributing-packages-to-the-registry/creating-node-js-modules.mdx @@ -36,6 +36,13 @@ exports.printMsg = function() { ## Test your module 1. Publish your package to npm: + + + + **Important:** Before you can publish, you must have either [two-factor authentication (2FA)][config-2fa] enabled on your account, or a [granular access token with bypass 2FA enabled][creating-token] for CI/CD workflows. + + + - For [private packages][priv-pkg-pub] and [unscoped packages][unscoped-pkg-pub], use `npm publish`. - For [scoped public packages][scoped-pkg-pub], use `npm publish --access public` @@ -73,3 +80,5 @@ exports.printMsg = function() { [priv-pkg-pub]: creating-and-publishing-private-packages#publishing-private-packages [unscoped-pkg-pub]: creating-and-publishing-unscoped-public-packages#publishing-unscoped-public-packages [scoped-pkg-pub]: creating-and-publishing-scoped-public-packages#publishing-scoped-public-packages +[config-2fa]: /configuring-two-factor-authentication +[creating-token]: /creating-and-viewing-access-tokens diff --git a/content/packages-and-modules/securing-your-code/requiring-2fa-for-package-publishing-and-settings-modification.mdx b/content/packages-and-modules/securing-your-code/requiring-2fa-for-package-publishing-and-settings-modification.mdx index 4aee6a2788e..f8727e734a4 100644 --- a/content/packages-and-modules/securing-your-code/requiring-2fa-for-package-publishing-and-settings-modification.mdx +++ b/content/packages-and-modules/securing-your-code/requiring-2fa-for-package-publishing-and-settings-modification.mdx @@ -4,9 +4,9 @@ title: Requiring 2FA for package publishing and settings modification import shared from '~/shared.js' -To protect your packages, as a package publisher, you can require everyone who has write access to a package to have two-factor authentication (2FA) enabled. This will require that users provide 2FA credentials in addition to their login token when they publish the package. For more information, see "[Configuring two-factor authentication][config-2fa]". +All packages now require two-factor authentication (2FA) for creating and publishing packages. For more information, see "[Configuring two-factor authentication][config-2fa]". -You may also choose to allow publishing with either two-factor authentication _or_ with [granular access tokens with bypass 2FA enabled][creating-granular-access-token]. This lets you configure tokens in a CI/CD workflow, but requires two-factor authentication from interactive publishes. +You may also choose to publish with [granular access tokens with bypass 2FA enabled][creating-granular-access-token]. This lets you configure tokens in a CI/CD workflow, but requires two-factor authentication from interactive publishes. For CI/CD workflows, consider using [trusted publishing](/trusted-publishers), which provides secure, token-free publishing that automatically enforces strong authentication without requiring manual token management. @@ -34,13 +34,17 @@ For CI/CD workflows, consider using [trusted publishing](/trusted-publishers), w 4. Under "Publishing access", select the requirements to publish a package. - 1. **Dont require two-factor authentication** - With this option, a maintainer can publish a package or change the package settings whether they have two-factor authentication enabled or not. This is the least secure setting. - 2. **Require two-factor authentication or granular access tokens** + + + **Note:** All packages now require either two-factor authentication or a granular access token with bypass 2FA enabled to publish. This is the default setting for all new packages. + + + + 1. **Require two-factor authentication or granular access tokens** (Default) With this option, maintainers must have two-factor authentication enabled for their account. If they publish a package interactively, using the `npm publish` command, they will be required to enter 2FA credentials when they perform the publish. However, maintainers may also create a [granular access token with bypass 2FA enabled][creating-granular-access-token] and use that to publish. A second factor is _not_ required when using these specific token types, making them useful for continuous integration and continuous deployment workflows. - 3. **Require two-factor authentication and disallow tokens** + 2. **Require two-factor authentication and disallow tokens** With this option, a maintainer must have two-factor authentication enabled for their account, and they must publish interactively. Maintainers will be required to enter 2FA credentials when they perform the publish. Granular access tokens cannot be used to publish packages, regardless of their bypass 2FA setting.