npm staged publishing has shipped 🎉
Your CI can now stage a publish without 2FA, but a human still has to approve it with a hardware key before anything goes live on the registry. Stolen npm tokens stop being game over. Big deal for the Shai-Hulud class of worm.
docs.npmjs.com/staged-publi...
Documentation for the npm registry, website, and command-line interface
