This change affects only the requirements for new packages. The developers do not need to verify their email address to publish new versions of their existing packages.
Why this Change?
This change has been done to slow down on spammers publishing thousands of packages to the npm registry, either from a single account or creating multiple accounts for every package published. In the current state of npm anyone can create an account immediately and start spamming very easily as there is no verification step required.
Requiring valid email addresses for people intending to publish new packages is one of the several steps the team of npm is taking to slow down on spammers. The team is also working with Smyte to identify spam packages using the data from their metadata and README as they are published. This way they can clean up spam packages faster than they were able to do it in the past.
How to verify your email address?
When you login on the npm website using your credentials, you will see the banner just like below if your email address needs verification. You also will see this banner when you try to create an account on the npm website.
Check your mailbox for the verification email from npm or you can click “send it again” if the verification email isn’t in your mailbox.
When this change will take effect
Starting next week, i.e., July 25, it will be mandatory to verify your email address before you can publish any new packages in the npm repository.
Contact npm support team if you have any questions about this requirement or experience problems following the steps above. npm loves you, but it doesn’t love spam.