GitHub bolsters NPM access control

GitHub bolsters NPM access control

New granular access tokens allow NPM package maintainers to restrict which packages, scopes, and organisations a token has access to.

Credit: Dreamstime

Looking to improve the safety and security of NPM JavaScript packages, GitHub is adding granular access tokens to enable fine-grained permissions for NPM accounts, and making its NPM code explorer capability free to users.

GitHub on December 6 explained that stolen credentials are a main cause of data breaches. To help NPM maintainers better manage their risk exposure, GitHub is introducing a granular access token type for NPM.

The granular access tokens allow NPM package maintainers to restrict which packages and scopes a token has access to, grant access to specific organisations, set token expiration dates, and limit access based on IP address ranges. Users also can select read-only or read and write access. As many as 50 granular access tokens can be created on an NPM account.

Granular access tokens also allow NPM organisation owners to automate org management. Tokens can be created to manage one or more organisations, members, or teams.

Tokens come with an expiration period of up to one year. GitHub said fewer than 10 per cent of tokens in NPM are being regularly used, which leaves many NPM tokens inactive unnecessarily, increasing the potential for a long-lived token to be compromised. Regular rotation of tokens and limiting their expirations to the minimum requirement reduce the number of attack vectors.

The NPM code explorer, meanwhile, lets developers view the contents of a package directly from the NPM portal. Thus packages can be scrutinised before use. Previously a paid feature, the code explorer is now available publicly for free and has been updated, improving stability and speed. The code explorer works with almost all packages in the NPM registry, GitHub said.

GitHub, which is owned by Microsoft, acquired NPM in 2020. There are more than 200 billion downloads of NPM packages every month.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags GitHub



Join key decision-makers within Environmental, Social, and Governance (ESG) that have the power to affect real change and drive sustainable practices. SustainTech will bridge the gap between ambition and tangible action, promoting strategies that attendees can use in their day-to-day operations within their business.

EDGE 2023

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.


ARN has celebrated gender diversity and recognised female excellence across the Australian tech channel since first launching WIICTA in 2012, acknowledging the achievements of a talented group of female front runners who have become influential figures across the local industry.

ARN Innovation Awards 2023

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

Show Comments