Skip to content

[dec 16th]: Doc Changes for 2FA Publishing and Secure By Default #1790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
shmam wants to merge 19 commits into
base: main
Choose a base branch
from
Open

[dec 16th]: Doc Changes for 2FA Publishing and Secure By Default #1790

shmam wants to merge 19 commits into from

Conversation

@shmam
Copy link
Contributor

@shmam shmam commented Nov 25, 2025
edited
Loading

Overview

This is a PR to update the documentation to reflect the following changes coming to the npm registry

  1. The default package setting for all newly created packages will be Require two-factor authentication or a granular access token with bypass 2fa enabled
  2. Publishing a package will require the user to have 2fa enabled or use a granular access token with bypass 2fa enabled.

Summary of file changes (thanks to :copilot: )

Authentication and Publishing Requirements

  • Updated all relevant CLI documentation (npm-publish.mdx across v6–v11) to state that publishing packages to npm now requires either 2FA enabled on the account or a granular access token with bypass 2FA enabled, with links to further documentation. This is highlighted in notes at the top of publish command sections. [1] [2] [3] [4] [5] [6]
  • Added clarification that in CI/CD workflows, granular access tokens with bypass 2FA are recommended since interactive authentication is not possible. This is noted in the publish command documentation for each CLI version. [1] [2] [3] [4] [5]

Access Control and 2FA Enforcement

  • Updated npm-access.mdx documentation for all CLI versions to indicate that all packages now require either 2FA or a granular access token with bypass 2FA enabled by default, and removed references to the option to disable 2FA via the web interface. [1] [2] [3] [4]
  • Changed the npm access set mfa command documentation to remove the none option, reflecting that disabling MFA is no longer supported. [1] [2] [3]

Getting Started and Account Setup Documentation

  • Added warning notes to account setup guides to inform users that publishing packages requires 2FA or a granular access token with bypass 2FA, and provided links to relevant documentation. [1] [2]
  • Updated reference links in getting started documentation to point to granular access token creation and management pages. [1] [2]
  • Removed outdated instructions for disabling 2FA for write operations, as this is no longer supported.

@shmam shmam requested review from a team and leobalter as code owners November 25, 2025 16:46
@shmam shmam changed the base branch from release-120925 to main November 25, 2025 20:36
@shmam shmam changed the title Doc Changes for 2FA Publish Enabled By Default [dec 16th]: Doc Changes for 2FA Publishing Nov 25, 2025
@shmam shmam changed the title [dec 16th]: Doc Changes for 2FA Publishing [dec 16th]: Doc Changes for 2FA Publishing and Secure By Default Nov 25, 2025
karenjli and others added 16 commits December 3, 2025 10:42
@karenjli @shmam
[docs] Remove classic token description (#1775)
8e1ab01 
This PR removes description about legacy tokens as we are removing them
permanently.
@shmam
[docs] Update 2FA requirements for package publishing and settings mo…
480bc69 
…dification
@shmam
[docs] Add 2FA requirements note before publishing Node.js modules
6757aca
@shmam
[docs] Add 2FA requirements for publishing unscoped public packages
18cfa00
@shmam
[docs] Add 2FA requirements for publishing scoped public packages
595268c
@shmam
[docs] Add 2FA requirements for publishing private packages
f9c265b
@shmam
[docs] Clarify 2FA authentication requirements for package publishing
3a9748a
@shmam
[docs] Update guidance for creating granular access tokens with bypas…
1c266c2 
…s 2FA for CI/CD workflows
@shmam
[docs] Clarify 2FA bypass requirements for access tokens in package p…
6351332 
…ublishing
@shmam
[docs] Update 2FA requirements for package publishing in user account…
f49d2e6 
… setup
@shmam
updated to npm access
cc7aa2c
@shmam
changes to npm publish
3290b30
@shmam
removing a section about disabling 2fa for writes
d9352cb
@shmam
[docs] Clarify 2FA requirements for package publishing and access tokens
b8d1abf
@shmam
[docs] Update npm access command to remove 'none' option for MFA
b76012c
@shmam
[docs] Update 2FA requirements for npm publish documentation
b0ad1dd
@shmam shmam force-pushed the 2fa-default-publishing-batch-doc-changes branch from c8c8d2d to b0ad1dd Compare December 3, 2025 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leobalter leobalter Awaiting requested review from leobalter leobalter is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shmam @karenjli