From 4b0aeb3d9fb7aa14cf4516ddb67d4e8543e0ba5e Mon Sep 17 00:00:00 2001
From: Niels Swimberghe <3382717+Swimburger@users.noreply.github.com>
Date: Wed, 29 Oct 2025 11:43:35 -0400
Subject: [PATCH 1/2] Correct timeline for npm OIDC publishing
---
.../products/sdks/overview/typescript/publishing-to-npm.mdx | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fern/products/sdks/overview/typescript/publishing-to-npm.mdx b/fern/products/sdks/overview/typescript/publishing-to-npm.mdx
index 571fe5251..bed51c909 100644
--- a/fern/products/sdks/overview/typescript/publishing-to-npm.mdx
+++ b/fern/products/sdks/overview/typescript/publishing-to-npm.mdx
@@ -8,7 +8,7 @@ registry](https://www.npmjs.com/). After following the steps on this page,
you'll have a versioned package published on npm.
-If you're currently using token-based authentication, npmjs is deprecating long-lived tokens in early 2025. See [Migrating from token-based to OpenID Connect (OIDC) publishing](#migrating-from-token-based-to-oidc-publishing) to upgrade to the more secure OIDC authentication.
+If you're currently using token-based authentication, npmjs is deprecating long-lived tokens in mid-November 2025. See [Migrating from token-based to OpenID Connect (OIDC) publishing](#migrating-from-token-based-to-oidc-publishing) to upgrade to the more secure OIDC authentication.
@@ -113,7 +113,7 @@ groups:
Choose how you want to authenticate with npmjs when publishing.
-**Starting in early 2025**, npmjs.org is deprecating long-lived authentication tokens for publishing from CI/CD workflows. **OpenID Connect (OIDC) authentication is strongly recommended** for security.
+**Starting mid-November 2025**, npmjs.org is deprecating long-lived authentication tokens for publishing from CI/CD workflows. **OpenID Connect (OIDC) authentication is strongly recommended** for security.
@@ -205,7 +205,7 @@ Provenance attestations aren't generated for packages published from private rep
-**This method is being deprecated by npmjs.org in early 2025.** Long-lived authentication tokens can be exposed in logs, compromised, and are difficult to manage and rotate. [OIDC-based authentication is strongly recommended instead](#migrating-from-token-based-to-oidc-publishing).
+**This method is being deprecated by npmjs.org in mid-November 2025.** Long-lived authentication tokens can be exposed in logs, compromised, and are difficult to manage and rotate. [OIDC-based authentication is strongly recommended instead](#migrating-from-token-based-to-oidc-publishing).
From 65e01e532b754e2cd5de17b7f37e82df33fd42a6 Mon Sep 17 00:00:00 2001
From: Niels Swimberghe <3382717+Swimburger@users.noreply.github.com>
Date: Wed, 29 Oct 2025 11:48:56 -0400
Subject: [PATCH 2/2] vale
---
.../sdks/overview/typescript/publishing-to-npm.mdx | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/fern/products/sdks/overview/typescript/publishing-to-npm.mdx b/fern/products/sdks/overview/typescript/publishing-to-npm.mdx
index bed51c909..22e8a60ae 100644
--- a/fern/products/sdks/overview/typescript/publishing-to-npm.mdx
+++ b/fern/products/sdks/overview/typescript/publishing-to-npm.mdx
@@ -8,7 +8,7 @@ registry](https://www.npmjs.com/). After following the steps on this page,
you'll have a versioned package published on npm.
-If you're currently using token-based authentication, npmjs is deprecating long-lived tokens in mid-November 2025. See [Migrating from token-based to OpenID Connect (OIDC) publishing](#migrating-from-token-based-to-oidc-publishing) to upgrade to the more secure OIDC authentication.
+If you're using token-based authentication, npmjs is deprecating long-lived tokens in mid-November 2025. See [Migrating from token-based to OpenID Connect (OIDC) publishing](#migrating-from-token-based-to-oidc-publishing) to upgrade to the more secure OIDC authentication.
@@ -190,7 +190,7 @@ OIDC-based publishing (also known as "trusted publishing") is the most secure wa
Common causes:
- Workflow filename doesn't match exactly (must be `ci.yml`)
- Trusted publisher configuration on npmjs.com doesn't match your repository settings
-- Using self-hosted runners (not currently supported by npmjs.org)
+- Using self-hosted runners (not supported by npmjs.org)
**Solution:** Double-check your trusted publisher configuration on npmjs.com matches your repository name and workflow filename exactly.
@@ -266,7 +266,7 @@ Your SDK will automatically be published to npmjs when you create a GitHub relea
1. Create a GitHub release with a version tag (for example, `v1.0.0`)
1. The CI workflow will run automatically and publish to npm
-1. View your package on npmjs.com to confirm the new version
+1. View your package on npmjs.com to confirm the version
@@ -307,7 +307,7 @@ Add your `FERN_TOKEN` as a repository secret (run `fern token` to generate one),
## Migrating from token-based to OIDC publishing
-If you're currently using token-based authentication and need to migrate to OIDC, follow these steps:
+If you're using token-based authentication and need to migrate to OIDC, follow these steps:
### Why migrate to OIDC
@@ -522,7 +522,7 @@ After completing either migration path:
- Workflow filename doesn't match exactly (must be `ci.yml` with the `.yml` extension)
- Missing `id-token: write` permission in workflow
- npm CLI version is older than 11.5.1
-- Using self-hosted runners (not currently supported)
+- Using self-hosted runners (not supported)
**Solution:** Double-check your trusted publisher configuration on npmjs.com matches your actual workflow file name and verify all requirements are met.
@@ -530,7 +530,7 @@ After completing either migration path:
-If your workflow continues using the old token-based authentication:
+If your workflow continues using token-based authentication:
- Verify you've removed the `npm config set` line and the `env: NPM_TOKEN` block from the publish step
- Check that npm CLI version 11.5.1+ is installed (add the update npm step)