GitHub has announced the general availability of granular access tokens on the JavaScript package manager npm, along with a new npm code explorer. Both new features are designed to make it safer to download npm packages. 

The name npm stands for Node Package Manager, reflecting the purpose it had when it was first created. GitHub, which bought npm in 2020 says the JavaScript community downloads over 200 billion packages from npm every month, accounting for 93 percent of traffic.

The granular access tokens are designed to help maintainers protect against data breaches by limiting the impact of an accidental or deliberate misuse of a token.

The feature extends the existing support in npm for automation tokens. These can be used to publish to any packages that the owner of the token has permission to. However, until now you couldn't create tokens with lower levels of privilege, which is what the new granular access tokens are designed for. Developers can now create tokens that can publish only to a limited set of packages, or that are limited in scopes. The tokens can also be used to limit npm API access based on allowed IP ranges. A one year expiry period has also been added, and GitHub says that since less than 10 percent of the tokens in npm are being regularly used, this leaves a lot of npm tokens unnecessarily active, which increases the potential for such a long-lived token to eventually be compromised.

The other addition expands the existing npm code explorer from its current state where it was a subscription option. Until now, developers had to download an npm package to inspect its contents, which could cause problems if the package contained malicious or otherwise detrimental code which could be deployed on your system through malicious install scripts.

The npm code explorer lets developers view the contents of a package directly from the npm portal. It provides syntax highlighting for .js, .ts, .md, .json, and .css, and also can be used to view the content of any prior version of a package.

Both features are available now.

More Information

GitHub Website

Related Articles

npm 7 CLI Now Generally Available

npm 7 Will Ship With Node.js 15

GitHub Copilot Provides Productivity Boost  

GitHub Copilot Your Programming Pal

GitHub Desktop Adds Squashing

GitHub Desktop 2.0 Introduces Stashing and Rebasing

GitHub Introduces Super Linter

GitHub Strengthens Team Working

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info