Thursday, 5 October, 2017 UTC


Summary

Hey y'all, this is a big new feature release! We’ve got some security related goodies plus a some quality-of-life improvements for anyone who uses the public registry (so, virtually everyone).
The changes largely came together in one piece, so I’m just gonna leave the commit line here:
  • f6ebf5e8b f97ad6a38 f644018e6 8af91528c 346a34260 Two factor authentication, profile editing and token management. (@iarna)

TWO FACTOR AUTHENTICATION

You can now enable two-factor authentication for your npm account. You can even do it from the CLI. In fact, you have to, for the time being:
npm profile enable-tfa 
With the default two-factor authentication mode you’ll be prompted to enter a one-time password when logging in, when publishing and when modifying access rights to your modules.

TOKEN MANAGEMENT

You can now create, list and delete authentication tokens from the comfort of the command line. Authentication tokens created this way can have NEW restrictions placed on them. For instance, you can create a read-only token to give to your CI. It will be able to download your private modules but it won’t be able to publish or modify modules. You can also create tokens that can only be used from certain network addresses. This way you can lock down access to your corporate VPN or other trusted machines.
Deleting tokens isn’t new, you could do it via the website but now you can do it via the CLI as well.

CHANGE YOUR PASSWORD, SET YOUR EMAIL

You can finally change your password from the CLI with npm profile set password! You can also update your email address with npm profile set email <address>. If you change your email address we’ll send you a new verification email so you verify that its yours.

AND EVERYTHING ELSE ON YOUR PROFILE

You can also update all of the other attributes of your profile that previously you could only update via the website: fullname, homepage, freenode, twitter and github.

AVAILABLE STAND ALONE

All of these features were implemented in a stand alone library, so if you have use for them in your own project you can find them in npm-profile on the registry. There’s also a little mini-cli written just for it at npm-profile-cli. You might also be interested in the API documentation for these new features: user profile editing and authentication.

BUG FIXES

  • 5ee55dc71 install.sh: Drop support for upgrading from [email protected] as [email protected] can’t run on any Node.js version that ships [email protected] This fixes an issue some folks were seeing when trying to upgrade using curl | http://npmjs.com/install.sh. (@iarna)
  • 5cad1699a [email protected] Fix a bug where when more than one lifecycle script got queued to run, npm would crash. (@zkat)
  • cd256cbb2 [email protected] Fix a bug where test directories would always be excluded from published modules. (@isaacs)
  • 2a11f0215 Fix formatting of unsupported version warning (@iarna)

DEPENDENCY UPDATES