Looking to improve the safety and security of NPM JavaScript packages, GitHub is adding granular access tokens to enable fine-grained permissions for NPM accounts, and making its NPM code explorer capability free to users.
GitHub on December 6 explained that stolen credentials are a main cause of data breaches. To help NPM maintainers better manage their risk exposure, GitHub is introducing a granular access token type for NPM. The granular access tokens allow NPM package maintainers to restrict which packages and scopes a token has access to, grant access to specific organizations, set token expiration dates, and limit access based on IP address ranges. Users also can select read-only or read and write access. As many as 50 granular access tokens can be created on an NPM account.
Granular access tokens also allow NPM organization owners to automate org management. Tokens can be created to manage one or more organizations, members, or teams.
Tokens come with an expiration period of up to one year. GitHub said fewer than 10% of tokens in NPM are being regularly used, which leaves many NPM tokens inactive unnecessarily, increasing the potential for a long-lived token to be compromised. Regular rotation of tokens and limiting their expirations to the minimum requirement reduce the number of attack vectors.
The NPM code explorer, meanwhile, lets developers view the contents of a package directly from the NPM portal. Thus packages can be scrutinized before use. Previously a paid feature, the code explorer is now available publicly for free and has been updated, improving stability and speed. The code explorer works with almost all packages in the NPM registry, GitHub said.
GitHub, which is owned by Microsoft, acquired NPM in 2020. There are more than 200 billion downloads of NPM packages every month.