The GitHub and npm settings open source maintainers should turn on before they need them

In the middle of a supply-chain incident, the maintainer is not just fixing packages. They are locked out of their account, answering reports, trying to contact registries, trying to warn users, and trying to prove what happened.

That is the part we do not talk about enough.

Most open source maintainers are not companies. They do not have incident response teams. They do not have a security department. They have a GitHub account, an npm account, a laptop, and a lot of people depending on them.

Security advice often assumes the maintainer is the weak link. That is backwards. The maintainer is the last line of defence, usually unpaid, usually alone, and often locked out of the systems they need during the incident.

This is the checklist I wish every maintainer had before something goes wrong. No single setting saves you, so it works in layers: the account, the branch, the release path, the workflow, the tokens, the files, the tripwires, and the recovery plan.

Managed laptops do not make secure maintainers

After a supply-chain incident, companies reach for the control they own: the device. They lock laptops down, ban personal accounts, restrict tools, and tighten policy.

That response can reduce risk. It does not secure the part that failed.

Open-source incidents do not usually begin with someone using the wrong brand of laptop. They begin with compromised accounts, weak release paths, bad credential hygiene, missing recovery plans, and maintainers who never got taught how GitHub, npm, OIDC, and publishing controls fit together.

If you secure the device and ignore the maintainer, you leave the real problem in place.