GitHub Updates Blog provides announcements, product updates, and insights into new features and enhancements on the GitHub platform. Developers can stay informed about changes to GitHub's developer tools, collaboration features, and security offerings. With GitHub's commitment to empowering developers and supporting open source communities, the GitHub Updates Blog serves as a resource for staying connected with the latest developments in software development.

GitHub Changelog

npm CLI 11.15.0 ships two supply-chain security features. Staged publishing is now generally available: instead of immediately publishing a package, it goes into a queue requiring explicit 2FA-backed maintainer approval before becoming installable, even for CI/CD and OIDC trusted publishing workflows. Three new install-source flags — --allow-file, --allow-remote, and --allow-directory — join the existing --allow-git flag, letting teams restrict npm install from resolving dependencies from non-registry sources. Each flag accepts 'all' (current default) or 'none', and can be set in .npmrc or package.json. The --allow-git default will change to 'none' in npm v12.

Staged publishing and new install-time controls for npm

<p>I like this direction. Most supply-chain issues start from trust assumptions, so staged publish + stricter install sources feels overdue.</p>


<p>another good news from javascript ecosystem</p>
