Skip to content

Commit 33c780e

Browse files
shmamshmam
committed
[docs] Update 2FA requirements for package publishing and settings modification
1 parent 1956c4c commit 33c780e

File tree

1 file changed

+8
-4
lines changed

1 file changed

+8
-4
lines changed

content/packages-and-modules/securing-your-code/requiring-2fa-for-package-publishing-and-settings-modification.mdx

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -34,13 +34,17 @@ For CI/CD workflows, consider using [trusted publishing](/trusted-publishers), w
3434
<Screenshot src="/packages-and-modules/securing-your-code/2fa-package-admin.png" alt="Screenshot showing the admin tab on a package page" />
3535

3636
4. Under "Publishing access", select the requirements to publish a package.
37-
1. **Dont require two-factor authentication**
38-
With this option, a maintainer can publish a package or change the package settings whether they have two-factor authentication enabled or not. This is the least secure setting.
3937

40-
2. **Require two-factor authentication or granular access tokens**
38+
<Note>
39+
40+
**Note:** All packages now require either two-factor authentication or a granular access token with bypass 2FA enabled to publish. This is the default setting for all new packages.
41+
42+
</Note>
43+
44+
1. **Require two-factor authentication or granular access tokens** (Default)
4145
With this option, maintainers must have two-factor authentication enabled for their account. If they publish a package interactively, using the `npm publish` command, they will be required to enter 2FA credentials when they perform the publish. However, maintainers may also create a [granular access token with bypass 2FA enabled][creating-granular-access-token] and use that to publish. A second factor is _not_ required when using these specific token types, making them useful for continuous integration and continuous deployment workflows.
4246

43-
3. **Require two-factor authentication and disallow tokens**
47+
2. **Require two-factor authentication and disallow tokens**
4448
With this option, a maintainer must have two-factor authentication enabled for their account, and they must publish interactively. Maintainers will be required to enter 2FA credentials when they perform the publish. Granular access tokens cannot be used to publish packages, regardless of their bypass 2FA setting.
4549

4650
<Screenshot src="/packages-and-modules/securing-your-code/2fa-package-setting.png" alt="Screenshot showing the require two-factor option for a package" />

0 commit comments

Comments
 (0)