Staged publishing and new install-time controls for npm
Summary
GitHub's changelog announces staged publishing for npm and new install-time flags to tighten supply chain security. The updates require maintainer approval for staged packages and introduce explicit allowlists for non-registry install sources, enhancing controls for CI/CD workflows. Available in npm CLI 11.15.0+ with recommendations to pair with trusted publishing (OIDC).