Table of contents

Requiring 2FA for package publishing and settings modification

Table of contents

To protect your packages, as a package publisher, you can require everyone who has write access to a package to have two-factor authentication (2FA) enabled. This will require that users provide 2FA credentials in addition to their login token when they publish the package. For more information, see "配置双重验证".

You may also choose to allow publishing with either two-factor authentication or with automation tokens. This lets you configure automation tokens in a CI/CD workflow, but requires two-factor authentication from interactive publishes.

配置双重验证

  1. On the npm "Sign In" page, enter your account details and click Sign In. Screenshot of npm login dialog

  2. Navigate to the package on which you want to require a second factor to publish or modify settings.

  3. Click Settings.

    Screenshot showing the admin tab on a package page

  4. Under "Publishing access", select the requirements to publish a package.

    1. Dont require two-factor authentication With this option, a maintainer can publish a package or change the package settings whether they have two-factor authentication enabled or not. This is the least secure setting.

    2. Require two-factor authentication or automation tokens or granular access token With this option, maintainers must have two-factor authentication enabled for their account. If they publish a package interactively, using the npm publish command, they will be required to enter 2FA credentials when they perform the publish. However, maintainers may also create an automation token or a granular access token and use that to publish. A second factor is not required when using a token, making it useful for continuous integration and continuous deployment workflows.

    3. Require two-factor authentication and disallow tokens With this option, a maintainer must have two-factor authentication enabled for their account, and they must publish interactively. Maintainers will be required to enter 2FA credentials when they perform the publish. Automation tokens and granular access tokens cannot be used to publish packages.

    Screenshot showing the require two-factor option for a package

  5. Click Update Package Settings.

Edit this page on GitHub
1 contributormona
Last edited by mona on March 21, 2023
声明:npm 及相关 logo 的版权归 npmjs.com 所有。本站点仅用于 npm 中文文档,与 npmjs.com 没有任何关系。由于译者水平有限,且避免产生误解,条款和政策内容不进行翻译,关于这部分,请移步官网查看最新内容。