The NPM registry is deprecating TLS 1.0 and TLS 1.1

That’s a pretty nice set of steps, a genuine deprecation including even as good an attempt as is possible at notifying where it’s needed, rather than just a removal. It’s interesting to note that they don’t say when they’ll finally remove it.<p>(One of my pet peeves is people abusing the word “deprecate” when they mean “remove”. The word “deprecate” means just discouraging something without actually removing it, though it’s typically a precursor to subsequent removal.)

When Heroku removed support for TLS 1.0 and TLS 1.1 this year, I was surprised at how many of my customers were effected. I didn&#x27;t give the deprecation much thought, assuming everyone was using a secure TLS version, but I guess enterprises like their legacy technology.

PyPI did this in 2018: <a href="https:&#x2F;&#x2F;github.com&#x2F;pypa&#x2F;warehouse&#x2F;issues&#x2F;3411" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;pypa&#x2F;warehouse&#x2F;issues&#x2F;3411</a>

So I was curious and tried to figure out how to, client side, enforce TLS 1.2+ for npm. It is surprisingly not straightforward to me. I also had an annoying time due to &#x27;npm&#x27; being the tool name and the repo name.<p>It seems you have to set an environment variable,<p><pre><code> NODE_OPTIONS=--tls-max-v1.2 </code></pre> But that&#x27;s for node in general and I&#x27;m not sure if it even works for npm. I was expecting this to be something I could do in a package.json<p>I&#x27;ve done this for Rust for a long time by just setting a flag in `project&#x2F;.cargo&#x2F;config.toml`<p><pre><code> [http] ssl-version.min = &quot;tlsv1.2&quot; </code></pre> (side note - I&#x27;ve had 0 issues with tlsv1.3 in cargo with crates.io)<p>I also wasn&#x27;t able to figure out how to do this for `pip`. I honestly expected this to be super straightforward, but I guess I was sort of spoiled by how easy it was with cargo.

TIL that github runs the npm registry?

I know it has been a huge pain in the ass for some applications that use older ODBC drivers when Azure made TLS 1.2 the default for Azure SQL databases.

A year or so back, Microsoft made an announcement of dropping TLS 1.0 and 1.1 support in Internet Explorer (and IE mode in Edge) but that seems to have gone quiet, and I now wonder whether they intend to keep support going until Internet Explorer (and IE mode in Edge) itself falls out of support.

How long has GitHub been running the NPM registry? This is the first I&#x27;ve ever heard of it.

Are there any theoretical attacks on git&#x27;s usage of sha1?

Everything is deprecating those old TLS versions, meanwhile Cloudflare still requires you to pay for a Business account to be able to disable them. Even though they also planned to deprecated them way back in 2018.