May 22, 2026
Publish now, panic later?
GitHub introduces staged publishing and new install-time controls for NPM
GitHub just added a safety pause to app updates—and the crowd is already fighting over whether it fixes anything
TLDR: GitHub added a new approval step for npm updates so software changes don’t go live instantly, plus extra controls over where installs can come from. Commenters are split between relieved, unimpressed, and downright snarky, with some calling it a useful safeguard and others saying it’s just a temporary patch.
GitHub’s latest npm update is basically trying to put a human speed bump in front of suspicious software updates. The big change, staged publishing, lets developers upload an update without instantly releasing it to everyone. Instead, it sits in a waiting room until a real person approves it with two-step verification. GitHub is also adding new install-time locks so people can be stricter about where software gets downloaded from in the first place. In plain English: fewer surprise updates, more chances to stop a bad one before it spreads.
But the real action is in the comments, where the mood swings from “finally, some help” to “this is just security theater.” One early reaction was cautiously hopeful: maybe this will help stop the kinds of attacks that have been rattling the software world lately. Then came the skeptics, with one bluntly calling staged publishing a “band aid” and warning it could actually hurt long-term security efforts. Ouch. Another commenter basically asked, “Why not scan the code itself?”—arguing that delaying release isn’t the same as actually catching dangerous software.
And because no tech thread is complete without a rival flex, someone dropped the killer comparison: pnpm already refuses to download packages younger than a day by default. Translation: GitHub announced a new safety feature, and the comments instantly turned it into a competition, a philosophy debate, and a mild roast. Classic internet.
Key Points
- •GitHub made npm staged publishing generally available in npm CLI 11.15.0 and newer.
- •Staged publishing uploads a prebuilt tarball to a stage queue and requires explicit maintainer approval before a package version becomes installable.
- •GitHub says staged publishing enforces proof of presence on every publish, including CI/CD and trusted publishing workflows, by requiring human approval with 2FA.
- •npm CLI 11.15.0 adds `--allow-file`, `--allow-remote`, and `--allow-directory` to extend explicit install-source controls alongside the existing `--allow-git`.
- •The article states that `--allow-git` will change its default from `all` to `none` in npm CLI v12, while the new flags already allow stricter settings in 11.15.0.