GitHub Adds Granular Access To npm
Written by Kay Ewbank   
Monday, 12 December 2022

GitHub has announced the general availability of granular access tokens on the JavaScript package manager npm, along with a new npm code explorer. Both new features are designed to make it safer to download npm packages. 

The name npm stands for Node Package Manager, reflecting the purpose it had when it was first created. GitHub, which bought npm in 2020 says the JavaScript community downloads over 200 billion packages from npm every month, accounting for 93 percent of traffic.



The granular access tokens are designed to help maintainers protect against data breaches by limiting the impact of an accidental or deliberate misuse of a token.

The feature extends the existing support in npm for automation tokens. These can be used to publish to any packages that the owner of the token has permission to. However, until now you couldn't create tokens with lower levels of privilege, which is what the new granular access tokens are designed for. Developers can now create tokens that can publish only to a limited set of packages, or that are limited in scopes. The tokens can also be used to limit npm API access based on allowed IP ranges. A one year expiry period has also been added, and GitHub says that since less than 10 percent of the tokens in npm are being regularly used, this leaves a lot of npm tokens unnecessarily active, which increases the potential for such a long-lived token to eventually be compromised.

The other addition expands the existing npm code explorer from its current state where it was a subscription option. Until now, developers had to download an npm package to inspect its contents, which could cause problems if the package contained malicious or otherwise detrimental code which could be deployed on your system through malicious install scripts.

The npm code explorer lets developers view the contents of a package directly from the npm portal. It provides syntax highlighting for .js, .ts, .md, .json, and .css, and also can be used to view the content of any prior version of a package.

Both features are available now.


More Information

GitHub Website

Related Articles

npm 7 CLI Now Generally Available

npm 7 Will Ship With Node.js 15

GitHub Copilot Provides Productivity Boost  

GitHub Copilot Your Programming Pal

GitHub Desktop Adds Squashing

GitHub Desktop 2.0 Introduces Stashing and Rebasing

GitHub Introduces Super Linter

GitHub Strengthens Team Working



To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


Excel Spreadsheet - A Joke?

No this isn't an April Fool's although in places it seems like one. It's a true account of how Williams Racing has suffered through reliance on an overgrown and outdated Microsoft Excel spreadsheet, l [ ... ]

Redis Changes License, Rival Fork Launched

The developers of Redis have announced that they are changing the licensing model for the database. From now on, all future versions of Redis will be released with source-available licenses rather tha [ ... ]

More News

raspberry pi books



or email your comment to:

Last Updated ( Monday, 12 December 2022 )