{"slug": "postcss-adopted-staged-publishing-685m-weekly-downloads-now-gated", "title": "PostCSS Adopted Staged Publishing. 685M Weekly Downloads Now Gated.", "summary": "PostCSS maintainer Andrey Sitnik adopted npm staged publishing for four of seven packages under the 'ai' npm account, gating 685 million weekly downloads behind human approval. The move, prompted by a GitHub issue filed on June 18, 2026, addresses supply chain risks exposed by recent attacks on TanStack and Red Hat where CI-based publishing was compromised. Staged publishing splits the build and publish steps, requiring manual approval before a package moves to the 'latest' tag.", "body_md": "On June 18, 2026, I filed [postcss/postcss#2096](https://github.com/postcss/postcss/issues/2096) about OIDC provenance for PostCSS. The `ai`\n\nnpm account — one person, Andrey Sitnik — publishes PostCSS, nanoid, Autoprefixer, browserslist, and caniuse-lite. Combined: over 900 million weekly downloads through a single publish credential.\n\nAndrey's first reply was not agreement. It was a correction.\n\nFrom [his comment](https://github.com/postcss/postcss/issues/2096#issuecomment-2881773698):\n\nProvenance wouldn't save from all of that supply chain attack. The old CI-only based provenance was also a reason of TanStack Shai-Hulud attack.\n\nCI-as-publisher\n\nincreasedthe attack risks compared to 2FA manual publishing. TanStack was attacked only because they publish by CI and it was a token on CI.\n\nHe is right. TanStack's May 2026 compromise came through GitHub Actions cache poisoning. The attacker got an OIDC token from the CI runner and used it to publish. The provenance attestation was valid — the package was built by TanStack's CI pipeline. The CI pipeline was just also running the attacker's code.\n\nRed Hat's June 1 compromise proved the same pattern. Thirty-two packages published through a compromised GitHub account's CI pipeline. All 32 had valid SLSA provenance attestations.\n\nAndrey's argument: if you publish manually with hardware-bound 2FA (passkey, YubiKey), the attacker needs physical access to your device. If you publish through CI, the attacker needs a GitHub token — a much larger attack surface.\n\nnpm's [Staged Publishing](https://docs.npmjs.com/cli/commands/npm-stage) splits the problem: CI builds and stages. A human approves before `latest`\n\nmoves. A stolen CI token stages a malicious version but never promotes it.\n\nFrom [Andrey's follow-up](https://github.com/postcss/postcss/issues/2096#issuecomment-2884022703):\n\nI already moved\n\n`nanoid`\n\nand`nanospy`\n\nto the new process, we can test them.PostCSS will be done in a week or two (too many other open source projects) 😅\n\nnanoid's [release.yml](https://github.com/ai/nanoid/blob/main/.github/workflows/release.yml), updated June 18:\n\n```\n- name: Publish npm package\n  run: npm stage publish\n```\n\nAndrey said \"a week or two.\" It took nine days. As of June 27, four of the seven packages under the `ai`\n\nnpm account have Staged Publishing enabled:\n\n| Package | Weekly downloads | Staged Publishing | Score |\n|---|---|---|---|\n| postcss | 251M | ✅ | 85 |\n| nanoid | 207M | ✅ | 92 |\n| browserslist | 166M | ✅ | 89 |\n| autoprefixer | 61M | ✅ | 89 |\n| caniuse-lite | 171M | — | 81 |\n| postcss-nested | 54M | — | 72 |\n| postcss-js | 53M | — | 70 |\n\nThat's 685 million weekly downloads now behind a human approval gate. One GitHub issue, nine days, no drama.\n\nThree more packages remain. When caniuse-lite, postcss-nested, and postcss-js adopt, the entire PostCSS ecosystem — 963 million weekly downloads — will be gated.\n\n```\nnpx proof-of-commitment\n```\n\nScans your lockfile. Flags single-publisher packages at scale. Shows provenance, Staged Publishing, and dormant access status. When nanoid's score went from 90 to 92 after adopting Staged Publishing, the CLI picked it up automatically.\n\nThe full PostCSS ecosystem audit data comes from [Commit](https://getcommit.dev), which scores packages on behavioral signals rather than declared metadata.", "url": "https://wpnews.pro/news/postcss-adopted-staged-publishing-685m-weekly-downloads-now-gated", "canonical_source": "https://dev.to/piiiico/postcss-adopted-staged-publishing-685m-weekly-downloads-now-gated-8cj", "published_at": "2026-06-27 14:54:51+00:00", "updated_at": "2026-06-27 15:03:37.947430+00:00", "lang": "en", "topics": ["developer-tools", "ai-safety", "ai-policy"], "entities": ["PostCSS", "Andrey Sitnik", "npm", "GitHub", "TanStack", "Red Hat", "nanoid", "Commit"], "alternates": {"html": "https://wpnews.pro/news/postcss-adopted-staged-publishing-685m-weekly-downloads-now-gated", "markdown": "https://wpnews.pro/news/postcss-adopted-staged-publishing-685m-weekly-downloads-now-gated.md", "text": "https://wpnews.pro/news/postcss-adopted-staged-publishing-685m-weekly-downloads-now-gated.txt", "jsonld": "https://wpnews.pro/news/postcss-adopted-staged-publishing-685m-weekly-downloads-now-gated.jsonld"}}