npm has announced that from 4 October 2021, all connections to the npm website and npm registry (including package installations) must use TLS 1.2 or later.

Specific timeframes

Although npm will enforce the minimum required TLS 1.2 from 4 October 2021, steps will be taken to alert affected users of this change before it is deprecated.

  • Starting 24 August, users not using TLS 1.2 will see a notice when running the npm command that contains a link to this announcement
  • On 22 September, TLS 1.2 will be implemented for one hour from 05:00 UTC
  • on 27 September, TLS 1.2 will be executed for one hour from 10:00 UTC, and again for one hour from 18:00 UTC
  • 29 September, TLS 1.2 for six hours from 13:00 UTC

To ensure compatibility, developers should ensure that the npm version they are using supports TLS 1.2 and can install test packages from HTTPS endpoints that have TLS 1.0 and TLS 1.1 disabled.

1

npm install -g https://tls-test.npmjs.com/tls-test-1.0.0.tgz

At this point you will see the following prompt message.

1
2
3

Hello! The tls-test package was successfully downloaded and installed.

Congratulations! Your package manager appears to support TLS 1.2.

However, if you see a TLS error message, developers are advised to upgrade to the current supported version of Node.js and the latest version of npm v7.

According to the official description, 99% of the npm registry’s traffic is already using TLS 1.2, so they don’t expect most users to be affected by this abandonment of TLS 1.0 and TLS 1.1. All Node.js binaries from v0.10.0 onwards include support for TLS 1.2, so most users of the latest Node.js and npm versions will not need to make any changes. However, some users may still be using unsupported versions, or may be using custom-built Node.js binaries where they are not supported.