npm: Enforcing 2FA for high-impact projects

[github-product-roadmap]

Summary

As part of our ongoing commitment to npm ecosystem security, we have already rolled out enhanced login verification to all publishers on the npm registry. The next step in securing the accounts of publishers on the registry is to enforce the use of 2FA for all accounts with publishing rights to high-impact packages. The third phase in this is to roll out 2FA for all "High-Impact Projects".

Intended Outcome

All "High-Impact Projects" are enrolled in enforced 2FA

How will it work?

Once mandatory 2FA is enforced accounts with publish rights to the top-100 packages on the registry, by dependents, will have limited access to the registry and npmjs.com until they register a 2FA device.