npm CLI has updated requirements to version 11.15.0 or newer, with guidance to update CI/CD workflows to use the staged publish feature for staged behavior.

A GitHub Community discussion is opened to gather feedback and answer questions from users.

Install-time source flags expanded in npm 11.15.0 introduce explicit allowlists for nonregistry sources: --allow-file for local files and tarballs, --allow-remote for remote URLs including https tarballs, --allow-directory for local directories, plus the existing --allow-git for Git sources.

The new staged publishing approach emphasizes proof of presence for all publishes, including CI/CD and trusted publishing with OIDC, and outlines the required approval workflow.

Staged publishing for npm is generally available, requiring a maintainer with 2FA approval before a package version becomes installable and the process is visible on npmjs.com and in the npm CLI.

Documentation now references the npm install reference and config references for detailed usage of the new flags.

Recommended setup pairs staged publishing with trusted publishing (OIDC), potentially restricting non-stage publishing in some configurations, and supports both local stage publish and CI-driven workflows with maintainer approval.

New flags (and --allow-git) can be configured to all or none via .npmrc or package.json; note that --allow-git will move to a none-default in the next major release (v12), while the new flags were added in 11.15.0.