npm has announced that from 4 October 2021, all connections to the npm website and npm registry (including package installations) must use TLS 1.2 or later.
Although npm will enforce the minimum required TLS 1.2 from 4 October 2021, steps will be taken to alert affected users of this change before it is deprecated.
- Starting 24 August, users not using TLS 1.2 will see a notice when running the npm command that contains a link to this announcement
- On 22 September, TLS 1.2 will be implemented for one hour from 05:00 UTC
- on 27 September, TLS 1.2 will be executed for one hour from 10:00 UTC, and again for one hour from 18:00 UTC
- 29 September, TLS 1.2 for six hours from 13:00 UTC
To ensure compatibility, developers should ensure that the npm version they are using supports TLS 1.2 and can install test packages from HTTPS endpoints that have TLS 1.0 and TLS 1.1 disabled.
At this point you will see the following prompt message.
However, if you see a TLS error message, developers are advised to upgrade to the current supported version of Node.js and the latest version of npm v7.
According to the official description, 99% of the npm registry’s traffic is already using TLS 1.2, so they don’t expect most users to be affected by this abandonment of TLS 1.0 and TLS 1.1. All Node.js binaries from v0.10.0 onwards include support for TLS 1.2, so most users of the latest Node.js and npm versions will not need to make any changes. However, some users may still be using unsupported versions, or may be using custom-built Node.js binaries where they are not supported.