Consider Adopting NPM Trusted Publishing

> ## Overview
> Recent [supply chain attacks on npm](https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/) have highlighted the need for stronger package publishing security. The September 2025 Shai-Hulud worm compromised 500+ packages through stolen maintainer tokens, showing the risks of token-based publishing.
> 
> Trusted publishing helps by eliminating long-lived tokens that can be stolen or accidentally exposed; generating automatic provenance provides cryptographic proof of where/how packages are built; and is an industry standard adopted by `PyPI`, `RubyGems`, `crates.io`, `NuGet`, etc...
> 
> `NPM` is [planning to deprecate legacy tokens](https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/#h-npm-s-roadmap-for-hardening-package-publication) and make trusted publishing the preferred method.
> 
> ## Reference
> References:
> 
> * [NPM trusted publishing documentation](https://docs.npmjs.com/trusted-publishers)
> * [Announcement blog post](https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/)
> * [Provenance statements guide](https://docs.npmjs.com/generating-provenance-statements)
> 
> Inspiration:
> 
> * [Consider adopting npm trusted publishing microsoft/TypeScript#62499](https://github.com/microsoft/TypeScript/issues/62499)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Consider Adopting NPM Trusted Publishing #1978

Overview

Reference

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Consider Adopting NPM Trusted Publishing #1978

Description

Overview

Reference

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions