Staged publishing and new install-time controls for npm

npm enhances supply-chain security with staged publishing and new --allow-* install flags. These features provide granular control over package sources, mitigating dependency attacks.

[ KEY POINTS ]

staged publishing: Publish with npm publish --stage <name> and later promote with npm stage promote. This prevents accidentally tagging a pre-release as `latest`.
--allow-* flags: New flags like --allow-file and --allow-remote let you explicitly whitelist installation sources during npm install, expanding on the existing --allow-git.
Both features focus on hardening defenses against supply-chain attacks. It's a good practice to configure them in .npmrc even for solo projects with many dependencies.

Originalgithub.blog/changelog/2026-05-22-staged-publishing-and-new-install-time-controls-for-npmRead original →

// related

#0001
#0001Infra & SaaS GeekNews3 days ago
`Railway` outage exposes GCP account-suspension blast radius
50radar
RailwayPaaS hosting platform — deploys apps and databases together
A single cloud account suspension took down dashboard, API, compute, databases, control plane, and burst compute. Treat platform convenience as a dependency risk.
- The incident started on May 19, 2026 22:20 UTC and lasted about 8 hours. A hosted app needs an external status channel.
- Railway immediately returned 503 from both dashboard and API, so deploy and ops paths failed together.
- The failed surface included compute, database, control plane, and burst-compute infrastructure. Separate backup and recovery paths matter.
Source: news.hada.io/topic?id=29740Read original →
FIG-0011:1
50radar
FIG-0011:1
#0002
#0002Infra & SaaS GitHub Changelog4 days ago
`GitHub` Issue Fields Enter Public Preview for All Organizations
60radar
Typed metadata is now native on issues. Small teams can standardize triage without extra trackers.
- Priority, Effort, and similar typed fields can now live directly on GitHub issues, reducing custom labels and project-board drift.
- Public preview covers all GitHub organizations on github.com, so teams can test it without waiting for an enterprise rollout.
- GitHub Enterprise Cloud with data residency is included too; compliance-bound org repos get the same workflow option.
Source: github.blog/changelog/2026-05-21-issue-fields-are-now-inRead original →
FIG-0021:1
60radar
FIG-0021:1
#0003
#0003Infra & SaaS vercel_blog4 days ago
`Vercel CLI` Can Now Pull Anomaly Alert Details
60radar
Anomaly status now reaches the terminal, including AI investigation output with --ai. Useful for incident triage, but gated behind Observability Plus.
- vercel alerts lists team or project alerts with start time, alert type, and active status; terminal triage gets less context-switching.
- --ai adds AI investigation results next to each alert, giving coding agents enough context to act from the CLI.
- Availability is limited to Observability Plus, so the value depends on whether observability spend is already justified.
Source: vercel.com/changelog/pull-anomaly-alert-details-using-thRead original →
FIG-0031:1
60radar
FIG-0031:1

Staged publishing and new install-time controls for npm

// related

`Railway` outage exposes GCP account-suspension blast radius

`GitHub` Issue Fields Enter Public Preview for All Organizations

`Vercel CLI` Can Now Pull Anomaly Alert Details