Our plan for a more secure npm supply chain

[leobalter]

We recently published a post about our plan to improve security on npm as a supply chain supplier and I'd love to gather everyone's feedback.

Please use this thread for general feedback. Other threads might be pinned as well as they get popularity as I want to keep free formatting for all.

Thanks!

[ljharb]

• on killing TOTP: https://github.com/orgs/community/discussions/174505
• on forced expiry: https://github.com/orgs/community/discussions/174506

[devid44555-web]

This is a really valuable initiative — npm security improvements are long overdue, especially with how [common])dependency attacks have become. Strengthening the supply chain not only protects developers but also builds more trust in the ecosystem. Excited to see how these changes roll out and impact package publishing in the coming months. Great work by the team.

[db-Andrey]

Очень круто!

[wesleytodd]

Copying some feedback here from our Slack discussion:

Ok, this is overall a good step, specifically disallowing non-2FA local setups and setting better defaults. It is still missing the workflow for 2FA in CI, it seems to limit ci publish to only trusted publishing (unless you want to deal with the toil of manually minting a token every week) which means we loose one existing option for a secure setup, and also need to request a fix for the missing identity on publishes.

So while it is moving in the right direction, my first optimistic read was anchored on the defaults and missed the whole bit that they are not actually addressing the ask for native 2FA workflows and even making one secure (albeit complicated to setup) workflow even harder since they dont have a proper api for minting tokens.

I think mainly these changes are good, they are just not complete. Adding first party support for the CI workflows to require 2fa as well is the main missing piece for me.

Additionally, see #174508 for some impact from the expiry and automation token removal.

[IchordeDionysos]

it seems to limit ci publish to only trusted publishing

As a package consumer, I would want to have every package on npm use trusted publishing, period. Not even allow, local publishing with 2FA or publishing with an expiring token.

Trusted publishing allows you to look into the exact commit and build pipeline that was used to build a package.

[wesleytodd]

Trusted publishing allows you to look into the exact commit and build pipeline that was used to build a package.

You have been able to do this for a long time without trusted publishing. The packument contains the commit it was released from. That is how things like npx reproduce work. Unfortunately it is not common that you can reproduce a build. Additionally, the provenance data is only kept as long as GHA keeps past builds (right now I think 90 days max). So you are not really getting much more from TP, and you are loosing forced 2FA because those are mutually exclusive today.

So while I think your goals are spot on, the implementation today of TP is drastically lacking for achieving said goals. So until those gaps are closed, a responsible maintainer with 2FA turned on is more secure than TP. Once the gaps are closed, I think we can recommend it but that doesn't mean there is anything to gain from removing local publish.

Instead we should focus our attention on increasing the reproducibility of builds and adding 2FA support in all the right places.

[voxpelli]

There’s also some still valid and unaddressed feedback in the discussion around the OIDC / Trusted Publishing launch, such as eg my comment there: https://github.com/orgs/community/discussions/161015#discussioncomment-14419367

[dasa]

From https://docs.npmjs.com/trusted-publishers

Self-hosted runners are not currently supported but are planned for future releases.

Is this support planned to be released before deprecating legacy classic tokens?

We use GHES with self-hosted runners in our publishing workflow, and would like to switch OIDC / Trusted Publishing. It would be a breaking change for us to no longer be able to use legacy classic tokens with no ability to use OIDC instead.

[voxpelli]

Feel free to join in on ossf/wg-securing-software-repos#90 to discuss the general principles and guidance for adding new platforms to Trusted Publishing enabled registries (goes beyond npm)

[saquibkhan]

@voxpelli it is not related but i want to share with you and others for visibility on npm oidc APIs (currently supports github/gitlab) - https://api-docs.npmjs.com/

[rbarker-dev]

Self-hosted runners are not currently supported but are planned for future releases.

I am also very curious if this will be solved before deprecating classic tokens

[MarshallOfSound]

There's a lot of good feedback elsewhere in these discussions but I want to make my take public outside of the slack as well.

I'm going to go through the bullet points in the github blog post and then provide my own additional requests at the bottom.

Current Planned GitHub / NPM Action Items

Deprecate legacy classic tokens.

✅ This is good, get rid of them. Scoped and granular tokens are intrinsically more secure and the developer pain of "ah darn I gotta run npm login again" is worth the security win IMO.

Deprecate time-based one-time password (TOTP) 2FA, migrating users to FIDO-based 2FA.

✅ Again, this is great. I had this as an item in an unpublished blog post that NPM should do. It effectively moves NPM from "2fa" to "phishing resistant" 2fa, which if in place 2 months ago would have prevented several of the initial compromises we saw hit the npm registry due to phishing attacks against maintainers (some of whom had 2FA and got their TOTP mitm'ed).

To be clear, this is going to be quite annoying for so many people. Not in the least me, Electron publishes ~50+ packages all using TOTP codes (securely sent via http://github.com/continuousauth to github actions) that all need to be migrated to trusted publishing. But this is work we were going to do anyway because we'd already made our own conclusions about trusted publishing being the more secure future.

Limit granular tokens with publishing permissions to a shorter expiration.

❓ This one is rough, there is currently an unsolved "Enterprise" usecase here that I will outline in "Missing Pieces" below.

Set publishing access to disallow tokens by default, encouraging usage of trusted publishers or 2FA enforced local publishing.

✅ Finally, yes, thank you. Guiding developers towards the more secure option by default is a quick and easy win here that doesn't impact any existing package.

Remove the option to bypass 2FA for local package publishing.

✅ Yessss. Thank you. Forcing 2FA for everyone is the single biggest win out of all of these, if you run npm publish locally it shouldn't matter what token you have, there should be a final form of "step up" auth in this case 2FA. Will it results in some developers having to open a browser every time they publish? Yes. Is that the end of the world? No

Make everyone have secure phishing resistant 2FA, and then force everyone to use it 💯

Expand eligible providers for trusted publishing.

❓ This one is also rough, but not because I'm against the idea, I'm wary of the implementation. See the "other OIDC providers" bit in "Missing Pieces" below

Missing Pieces

Let's pretend that everything in the above list shipped, what are we still missing to have a secure and simple package publishing strategy that works for everyone who currently uses npm

Trusted Publishing should be One Way

Once you opt in to Trusted Publishing and publish your first release with it, that should be a one way choice only changeable in extreme cases with intervention from npm support. Currently just having access to a maintainers npm account effectively let's you perform a "downgrade" attack on them by removing trusted publishing and/or changing publishing settings. Once a package is published the Super Safe way, it should only ever be publishable that way.

Trusted Publishing should use repository ID not name

This is a common issue I see with github apps and other github integrations, I'm disappointed to see it from npm. By validating the owner name and repository name you are intrinsically creating the following issues:

• Typos / typo-squatting
• Race conditions when renaming
• Race conditions when transferring repos between orgs / to an org

The current UI in npmjs.org needs to be an actual dropdown of repositories using github oauth to provide a list and then internally it should validate the repository_id claim of the OIDC token not the repo slug as that is unsafe.

Trusted Publishing should set up and enforce github environment usage

Current GitHub environment usage for trusted publishing is a manual and optional step, in addition to the above once you have an oauth token for the users github account, set up the environment for them. Enforce the environment can only be used on the {DEFAULT_BRANCH} by default (user can change later if they want) and even give them a $CI_PROVIDER template file that consumes that environment in a safe way.

This should be a series of clicks in the UI, not a custom yaml file, a hand crafted environment and manually typing in repo org and name.

Trusted Publishing should disable all other legacy forms of publishing when active

Currently even with trusted publishing enabled, a compromised maintainer account with a TOTP mitm can still publish these packages. Having Trusted Publishing active should just make all other forms of publishing disabled, regardless of how much auth you provide. See Trusted Publishing should be One Way again for more reasoning.

The Enterprise Usecase and Other OIDC Providers

These two I don't have an answer for, but calling them out anyway. Enterprises use self hosted runners, even to publish open source packages, they also use CI systems that aren't github actions or gitlab. What's the story going to be for them, enterprises with self hosted CI (Jenkins, BuildKite, CircleCI, etc.) should still be capable of publishing packages safely without having to manually update a token every 7 days 🤔 I would like to see a plan for that.

[pimterry]

Once you opt in to Trusted Publishing and publish your first release with it, that should be a one way choice only changeable in extreme cases with intervention from npm support.

Trusted Publishing should disable all other legacy forms of publishing when active

While generally tightening this up is good, imo exclusive-use + one-way-only always is too much.

It's hard to know how people will use this and want to change their setups in future (especially as the ecosystem develops and new solutions to these issues appear), or will get stuck with broken setups, and all that will create extra support load for npm en route. HPKP is a good example of how this goes wrong. Mainly I worry hard limits like this will discourage people from enabling trusted publishing in the first place, since it makes it a much higher risk more complicated thing to enable.

Trusted publishing needs to work somehow for people maintaining just one package as a tiny sideproject, and people just testing it out and exploring, not just for large mature orgs who know what they're doing. Otherwise most packages will never use it, and we all know how many tiny packages maintained by individual hobbyists are powering the ecosystem.

There's plenty of good middle ground though: e.g. adding a delay for any changes (e.g. doesn't disable for 48 hours, maybe a week) and notifications allowing any maintainer of the package to block the change. That would significantly increase the challenge of a downgrade attack, which still making it possible for normal users to manage trusted publishing configs in a reasonable way.

Obviously any change like this should require 2FA auth anyway though... And if you can do a downgrade attack providing the password & 2FA, you could also just change the account's email, password & 2FA setup directly, in which case you can just do whatever you want (including legitimately talking to NPM support as the account owner)... Maybe the delay is the only solution for this extreme case, since at least that way the real owners have some warning & time to object before anything can happen.

It might also be interesting to explore a 'modification lock' approach (like https://en.wikipedia.org/wiki/Registrar-Lock for DNS) independent of just setting up Trusted Publishing - once all is good and you're happy, then you tell npm to make it extra hard to change these settings later, and enforce a 7 day delay/support request/visit to the NPM office/notarized letter from your head of state/whatever.

[3nprob]

What you are proposing results in that publishing can only practically be done from GitHub and GitLab architecture. There must be a compelling, proven, and established flow for self-hosted/third-party Trusted Publishing on npmjs before we should consider enforcing it across the NPM platform and community.

Ideally with a realistic timeline between announcement and enforcement (years or months, not weeks or days).

[MarshallOfSound]

What you are proposing results in that publishing can only practically be done from GitHub and GitLab architecture. There must be a compelling, proven, and established flow for self-hosted/third-party Trusted Publishing on npmjs before we should consider enforcing it across the NPM platform and community.

That is not what I am proposing in the slightest.

There is no reason why local publishes can't still be supported in a safe way in a world where Trusted Publisher is the *default, easy to use and bullet proof (which is what most of my feedback covers).

A developer should be able to run npm publish and provide username & password & webauthn based authentication, potentially additionally verify by additional validation via email verification in "suspicious" cases (country changes, lots of rapid publishes, etc.). But they should have to do that for every publish, not have a magic token that let's you publish from anywhere at any time which is the current world we live in.

The same system could theoretically be used by other CI providers, the npm publish job currently outputs a URL that the developer must authenticate the publish with. Your CI can just "pause" on that URL and you can provide the auth on your machine. Automated publishing requires a level of trust in the infrastructure that we can't just assign to everyone but I agree there should be a clear set of guidelines and requirements for onboarding new trusted OIDC roots beyond just GitLab and GitHub. I just don't see a world where self-hosted ever meets that bar, third party folks like CircleCI/BuildKit and such though I definitely want to see on this list. (Note: I called this out in "The Enterprise Usecase and Other OIDC Providers")

[MarshallOfSound]

It might also be interesting to explore a 'modification lock' approach (like https://en.wikipedia.org/wiki/Registrar-Lock for DNS) independent of just setting up Trusted Publishing - once all is good and you're happy, then you tell npm to make it extra hard to change these settings later, and enforce a 7 day delay/support request/visit to the NPM office/notarized letter from your head of state/whatever.

Anything a developer has to opt in to will not be used. See: 2FA

If people wanted to be more secure at scale everyone on the registry would voluntarily have secure 2FA right now, but they don't.

At a certain point we need to make the trade-off as an ecosystem: Security of the ecosystem must be the priority and developer UX can take a back seat in some areas. Baseline registry security should never be optional or opt-in

[spiralman]

@MarshallOfSound we are also going to be impacted by the inability to authenticate between CircleCI and NPM for publishing private packages. Your suggested workaround:

Your CI can just "pause" on that URL and you can provide the auth on your machine.

Is hardly universally possible, and probably not simple to implement in any CI system.

Realistically, it seems like this change, without flexible CI support, is more likely to cause developers of packages to revert to manual publishing from laptops, which is almost certainly more fraught for supply-chain attacks than publishes from a CI system.

Would it not be possible to just add a "generic" trusted publisher type, where the NPM administrator enters an expected issuer and public key for the JWT, for a particular package or NPM organization? This is how AWS and GCP work to grant access to, e.g. CI tools without each CI tool having to be registered with them.

If you're uncomfortable with this for public packages (i.e. you are concerned developers will use this to "hack around" your restrictions and not use proper key management), you could restrict these generic trusted publishers to just private NPM packages, which would at least meet our needs.

In lieu of this, can you at least provide a date for CircleCI to become a trusted publisher?

[leobalter]

Here is a new post with changes we are applying first as part of this program. Please take a look and thanks for the continued feedback, as it is helping us doing some fine adjustments to the new measures we are implementing.

[voxpelli]

why not publish the underlying technology pieces and processes so that teams could adopt this themselves

@twesterhuys The Trusted Publishing concept was pioneered by PyPI and described and documented by the OpenSSF Working Group on Securing Software Repositories in eg the Trusted Publishers for All Package Repositories document.

Making oneself technically able to become a Trusted Publishing platform is the fairly easy part – getting oneself onboarded as a valid platform by npm is the harder part.

Ultimately there should be guidance on this, I opened ossf/wg-securing-software-repos#90 to track it

[twesterhuys]

@voxpelli that's great news and many thanks for the background - would be nice if GH more explicitly mentiones this in their docs rather then to referring this much more vaguely. Good to hear that what I assumed was the problem (onboarding rather then tooling/standards) to be the bottleneck and many thanks for crystilizing this in the issue.

[ljharb]

@IchordeDionysos trusted publishing provides a stealable short-lived token too, so no, it wouldn't.

[MarshallOfSound]

trusted publishing provides a stealable short-lived token too, so no, it wouldn't.

This doesn't cover the full picture, trusted publishing provides significantly shorter lived tokens and they aren't on end-user machines. Stealing them would require compromising the entire privileged build environment, not just phishing a user which is what happened multiple times last month. You can't phish an OIDC token, and you can't steal access from a human or a compromised developer machine if they didn't have it to begin with.

[ljharb]

I believe the shai-hulud attack exfiltrated a token from a workflow, which would work the same way for OIDC.

[DNin01]

I think npm accounts should be as important as... I don't know, Apple developer accounts. Great to see that security updates are being made!

[ericcornelissen]

If you're going to force people to generate new tokens by forcing (short) expiry windows, at least make it easy for them to regenerate tokens using the previous configuration. As someone who has been using short-ish expiry windows already, this has been by far my biggest frustration with it - this feature has been long overdue...

If a token of mine expires, I probably need one with the same granularity to replace it, so give me that option. If not, I think many developers will just generate overly permissive tokens because it's easier than specifying one package per token (again, I have considered this but luckily I don't publish that often). I believe this would contribute significantly to preventing attacks as a leaked token for one project wouldn't allow publishing all the package maintainer's other tokens.

See also my earlier piece of feedback: npm/feedback#1088

[grochoge]

Please clarify the scope for this. It's linked from the main GitHub page; is it only for NPM or is it for everyone?

I believe there are some things that you can do with classic access tokens that you cannot do with fine-grained tokens

[voxpelli]

The specifics in the post is for the npm registry in particular (which is owned by GitHub)

The concept of Trusted Publishing comes from OpenSSF / PyPi and GitHub has supported such publishing to such platforms for years.

See eg. https://repos.openssf.org/trusted-publishers-for-all-package-repositories for an overview and description of the general principles and reasoning behind the “Trusted Publishing” concept

[43081j]

One thing we seem to be skipping over:

GitHub environments should have an option to require 2fa

All of these npm changes are fine if there's 2FA in the trusted workflow.

Currently, you can already bind a trusted workflow to an environment in that it must be run through that to be considered trusted.

In reality the only reason anyone is complaining about the changes so far is because such a flow doesn't exist.

The flow should basically go like this:

• create a release (however you prefer, e.g. tags)
• workflow is triggered against an environment
• environment waits for approval (already possible)
• in order to approve, maintainer must complete 2FA
  • similarly, changing the workflow settings (like removing approvals constraint) should need 2FA

Admittedly this isn't an npm change but given how we're all being pushed to use GitHub for publishing, it's a very important feature to make the whole picture work.

[voxpelli]

Totally agree, I mentioned this here: https://github.com/orgs/community/discussions/161015#discussioncomment-14419367

What I would want:

Multiple reviewers are possible for branch protection rules, feels like it should even more so be possible for deployment environments.

[saquibkhan]

@43081j @voxpelli can you help us with a scenario where a workflow without 2fa challenge on approval can be compromised/hacked and insecure?

[43081j]

if someone compromises an action right now, they may be able to capture a github token.

lets say they manage to do that, and the token has the permissions necessary to commit and to trigger a release (whether it be by a tag or by a GitHub release, or whatever git-based trigger).

if they got this far, they can probably use the same token to either disable the approval constraints or to approve the workflow (assuming you bound the workflow to an env that requires approvals).

if we could require 2FA when approving workflows, that means even a stolen token can't approval a release at the end of it. they'd need to pass through 2FA to approve it, or to disable the approval constraint.

right now, someone could get this far with a compromised token and successfully publish a package as far as i understand

(some of the recent incidents were compromised, overly permissive GitHub tokens acquired through workflows. so we have to assume that will happen again)

as far as i can see, most other concerns are moot if this gets solved. people who are unhappy about losing TOTP, are only unhappy because they're still publishing manually right now - and the only reason they're publishing manually is because they can't enforce 2FA on publish approvals.

[shajz]

Hi, thanks for this post. Some questions about npm login and its use of legacy tokens:

To be able to run npm ci on projects that use private scoped packages on the npm registry, we have to run npm login to be authenticated and gain access to those packages (otherwise we get a 404).

Right now, the npm login command generates legacy tokens.

When you run npm login, the CLI automatically generates a legacy token of publish type. For more information, see About legacy tokens.

How will this be impacted by these changes? The github blog post does not address this issue.

Thanks!

[kategengler]

I am also wondering about this. I use npm login in order to change a dist-tag (to promote a stable release to our lts tag).

[leobalter]

You're correct that npm login currently generates legacy tokens. We've planned for this - when we complete the classic token revocation, npm login will automatically switch to receiving compatible short-lived session tokens that expire after a reasonable session duration. Your existing workflows for accessing private scoped packages with npm ci will continue to work without any changes required on your end.

The transition will be handled transparently by the CLI, so you can continue using npm login as you do today. We'll share full implementation details in our upcoming release announcements over the next few weeks.

Let us know if you have specific concerns about your CI/CD setup that we should consider.

[kategengler]

I'm happy to hear that -- those tokens make me nervous!

[arcanis]

@leobalter will that work with older versions of the npm cli ? Does that change how 3rd party package managers should interact with the registry endpoints ? Yarn implements yarn npm login as well - do we need to change our implementation ?

[shajz]

@leobalter thanks for the reply! A few more questions:

What will be the default granular token options? (duration / read-only vs read-write / organizations scopes)
I'm assuming we'll need to update npm if we need special options? Currently, npm login gives us a non expiring token with read-write with private org access, which is very convenient from a developer standpoint. I fear it won't be that easy after the new solution is deployed.

Every developer in my company will be impacted and I will have to tell them what to do once their classic tokens are revoked. I'm anticipating a big ball of frustration and would like to know how to avoid it! 😅

[jacobtb23]

Thanks for the post. Related specifically to the Shai Hulud attacks I saw mentioned in the article that there are controls in place to prevent packages with Shai Hulud IoC's from being published. Can you detail that for me? We are trying to assess if NPM/Github has this under control or if we need to build out additional checks for Shai Hulud effected packages (Search for IoC's ourselves).

[std4453]

Our company has its own CI system and we do some npm package publishing using long-live tokens. We would like to migrate to Trusted Publishing, yet documentation says that it does not have wide support, nor is there any clear directions on how to implement Trusted Publishing for custom CI systems.

With long-live tokens going to be revoked in mid-November, does that mean our only option is to npm login every time before CI tasks? How does that suppose to work along with 2FA, and do we have examples on that?

[fmal]

Will long-lived classic tokens with read-only scope (not able to use for publishing) will also be revoked? They're useful for granting read-only access to packages in a private scope and don't pose security risk like publish tokens.

[twesterhuys]

Only if you happen to be on github.com or gitlab.com using shared hosted runners and hence can enable Trusted Publishing¹. If you happen to use GitHub or GitLab self hosted runners or other CI providers this is currently not supported and it's unclear when this will be the case. Docs used to say self hosted runners are not supported. It seems to have been updated to now say

Self-hosted runners are not currently supported but are planned for future releases.

Footnotes

1. https://docs.npmjs.com/trusted-publishers ↩

[mex]

But isn't the OIDC flow and Trusted Publishing specifically for write access tokens? It doesn't seem to solve the case of read-only access to private NPM packages. Requiring manual token rotation every 90 days is akin to begging people to implement (less secure?) workarounds to somehow automate that process.

[twesterhuys]

Yes, ignore my comment. The current wording is not entirely clear, I think? To me it reads like the new limits only apply to tokens with write scopes:

Starting in mid-October, all newly created write-enabled granular access tokens for npm will have:

[mex]

You are right, it does only apply to tokens with write scopes. If you create a new granular access token for read-only access, you can still set the expiry time to for example 2100-01-01.

[denolfe]

Phew, this would have been a huge burden for my team. Thanks for this clarifying thread.

[mikew]

Is there a way to use Github actions to generate a new token? We could then use that as a jumping board to update a token in a CircleCI context.

[meeech]

I don't think you will have to do this. I'm in conversation with github, and I don't see any reason why we won't be able to get this done pretty quickly.

[meeech]

https://github.com/orgs/community/discussions/174507#discussioncomment-15126831

[Otr437]

No you cannot use GitHub as a jump point for new tokens that would be redundant in in in they can just capture the traffic and still inject maliciously

…

On Thu, Oct 30, 2025, 10:53 AM Mike Wyatt ***@***.***> wrote: Is there a way to use Github actions to generate a new token? We could then use that as a jumping board to update a token in a CircleCI context. — Reply to this email directly, view it on GitHub <#174507 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BING55RFQFKPO6ZUCRIPU5T32IQ6LAVCNFSM6AAAAACHJT4IZ2VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTIOBSHAYDQMQ> . You are receiving this because you commented.Message ID: ***@***.***>

[riderx]

when there is stupid rules stupid solution will be found. We will all endup running a browser in a cloud to generate our token and put our password and 2fa in it. Because NPM team tough once again they where smarter than everyone

[pyymenta]

Hey guys I have a question about the classic tokens deprecation:

Will this deprecation affects Github Packages authenticated with PAT - Personal Access Token(classic) as well?

In Github Packages documentation, they enforce that has just this type of authentication:

I'm using this type of authentication for some private packages and I'm not sure if this deprecation will affect my workflows.

[Otr437]

Just a heads up guys if anyone is using any type of ai to create scripts they are giving the bad npm tools without understanding the supply chain attack claude code gave me a bad package and now i have 2k sychost running and gotta dump my whole 300gb and 3 new transactions on my wallet 2 zcash gone 27 dollars in eth gone this am

…

On Fri, Oct 31, 2025, 10:10 AM Lucas Pimenta ***@***.***> wrote: Hey guys I have a question about the classic tokens deprecation: Will this deprecation affects Github Packages authenticated with PAT - Personal Access Token(classic) as well? In Github Packages documentation, they enforce that has just this type of authentication: image.png (view on web) <https://github.com/user-attachments/assets/50771de7-f7fd-4fd5-8da1-570f6551691f> I'm using this type of authentication for some private packages and I'm not sure if this deprecation will affect my workflows. — Reply to this email directly, view it on GitHub <#174507 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BING55QZ7BLDOGME7NATHE332NUWZAVCNFSM6AAAAACHJT4IZ2VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTIOBTHA4TEMA> . You are receiving this because you commented.Message ID: ***@***.***>

[metal-messiah]

We have migrated all of our various actions to use OIDC, but now our nightly automation around npm deprecate is failing (we publish new versions frequently, and our support window only extends 1 year into the past, so frequent deprecation commands are necessary). This doc seems to indicate that deprecate doesnt fit the bill of OIDC compatibility. Is there a reason OIDC doesn't work for all the NPM commands? Generating a new weekly token for our deprecation needs feels bad.

[inomdzhon]

We have same problem with npm deprecate :(

[Diegodevops26]

Subject: Great initiative on the npm Security Improvement Plan

Hi team,

Thanks for sharing this detailed post and for proactively focusing on the security of the npm ecosystem. As a developer, supply chain security is a top concern, and it's great to see you addressing it head-on.

I've read through the proposed plan, and I'm particularly supportive of the initiatives around [mention a specific part of the plan you like, e.g., enhancing 2FA enforcement or improving package integrity checks]. This seems like a strong and necessary step forward.

I have a couple of clarifying questions to better understand the rollout:

What is the expected timeline for these changes? Will they be rolled out in stages?

Regarding the [mention another specific part, e.g., "new publishing verifications"], could you share a bit more about how this will impact the daily workflow for developers? For instance, what will the experience be like if a package fails one of these new checks?

One suggestion I'd like to offer is [add a brief suggestion or area you think they missed, e.g., "to also consider providing more tools for automated dependency auditing within CI/CD pipelines"].

Overall, this is a very welcome direction. I appreciate the team's transparency and the chance to provide feedback.

Looking forward to these improvements!

[nickdnk]

Subject: Great initiative on the npm Security Improvement Plan

Hi team,

Thanks for sharing this detailed post and for proactively focusing on the security of the npm ecosystem. As a developer, supply chain security is a top concern, and it's great to see you addressing it head-on.

I've read through the proposed plan, and I'm particularly supportive of the initiatives around [mention a specific part of the plan you like, e.g., enhancing 2FA enforcement or improving package integrity checks]. This seems like a strong and necessary step forward.

I have a couple of clarifying questions to better understand the rollout:

What is the expected timeline for these changes? Will they be rolled out in stages?

Regarding the [mention another specific part, e.g., "new publishing verifications"], could you share a bit more about how this will impact the daily workflow for developers? For instance, what will the experience be like if a package fails one of these new checks?

One suggestion I'd like to offer is [add a brief suggestion or area you think they missed, e.g., "to also consider providing more tools for automated dependency auditing within CI/CD pipelines"].

Overall, this is a very welcome direction. I appreciate the team's transparency and the chance to provide feedback.

Looking forward to these improvements!

What's the point in asking AI to comment for you?

[Top-Dev1219]

You’ve raised some great points:

Timeline & rollout: The changes will indeed be rolled out in stages to minimize disruption. We’ll start with smaller opt-in phases (for example, with early adopters or specific package categories) before expanding to the broader ecosystem. We’ll be sharing a detailed timeline and milestones in an upcoming update post.

Publishing verification workflow: The new publishing checks are designed to add security while keeping developer experience smooth. If a package fails a check, the CLI and web interface will provide clear error messages and guidance on how to resolve the issue (e.g., fixing signature mismatches or reauthenticating for 2FA). We’ll also include documentation and examples for common scenarios before rollout.

Your suggestion: Great point about CI/CD dependency auditing — that’s definitely an area we’re exploring further. Our goal is to make it easier for developers to automate and monitor dependency integrity as part of their continuous delivery pipelines.

We’re really glad to hear your support for stronger 2FA enforcement and improved package integrity checks. Your input helps shape how we prioritize and communicate these updates.

[datenreisender]

Stop posting AI generated comments!

[mecodeatlas]

Hi @Top-Dev1219,

We’ve clarified our stance on using generative AI tools like ChatGPT within our Community via this announcement. Please review the guidelines to ensure your post meets them as failure to adhere to those rules can result in action taken by our moderator team.  You can read our updated Code of Conduct and the announcement for more details. Thank you for helping us maintain an authentic and beneficial space for everyone.

[AlttiRi]

I'm fine with TOTP. I totally dislike using passkeys.

[Jason3S]

@leobalter,

Is supporting GitHub reusable workflows on the list? I spent a few hours fighting with publishing because reusable workflows were not supported and it isn't documented (explicitly) that they are not supported.

Here is a sample publish workflow that works fine with manual runs and release triggers (assuming you generate a release with a non-default token), but not with reusable workflows.

.github/workflows/publish.yml:

name: ' 🚀 Publish: Publish to NPM (automatic)'

on:
  release:
    types:
      - published # will only trigger if you use an app token or PAT when creating the release.
  workflow_dispatch:
    inputs:
      ref:
        type: string
        description: 'The git ref (branch or tag) to publish'
        required: false
  workflow_call:
    # note this flow won't work until NPM adds support for reusable workflows
    inputs:
      ref:
        type: string
        description: 'The git ref (branch or tag) to publish'
        required: true

permissions:
  contents: read
  id-token: write

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
        with:
          ref: ${{ inputs.ref || github.ref }}
      - uses: actions/setup-node@v6
        with:
          node-version: 24
          registry-url: 'https://registry.npmjs.org'
      - run: npm ci
      - name: Publish Package
        run: npm publish
        env:
          NPM_CONFIG_PROVENANCE: true

If I am reading the docs right, according to Using OpenID Connect with reusable workflows - GitHub Docs, NPM needs to check a combination of job_workflow_ref and workflow (I cannot try this, so it is just speculation on my part).

Current NPM Trusted Publisher setup:

Request: add ability to add multiple optional workflows that can call ./.github/workflows/publish.yml.

[datenreisender]

In a sense reusable workflows are supported just not in the way you (and I) probably first expected or had hoped. I made a sketch of that in https://github.com/orgs/community/discussions/174507#discussioncomment-14723818 and also requested there to make this more clear in the docs but that has not happened so far.

And, yes, I also think one of the things missing is that more than one workflow can be defined as Trusted Publisher. The current workaround is awful.

[Jason3S]

@datenreisender,

Thank you! I had missed your comment. I guessed that adding the the name of the caller workflow would work, but that wasn't really an option in my case. I thought about using workflow_run trigger, but there isn't any easy way to pass information to the publish workflow.

[Garbee]

If workflows had outputs so they could bundle some data into a JSON property for a caller, this would be simple to achieve. But, in leu of that, you can pass data between workflow_run situations. The docs have an example showing how to get an artifact. My work-around would be build a JSON artifact and push it as the output data. Then pull it in the publish workflow and extract the contents into the outputs of an opening job that all other jobs depend on. That way you can use that job's output as the reference point throughout your workflow.

Terribly hacky, but it would get the job done.

[Jason3S]

@Garbee,

I wasn't able to find where the output from a workflow gets passed to the on.workflow_run listener. Do you know how that is done? The example on using an artifact is clear and is a viable alternative.

[Garbee]

Output isn't passed in event payloads. That is why I showed the artifact method to pass data between them as an alternative.

[horia-stoenescu]

Are granular tokens going to receive more updates? I understand that support for cli (npm token create) is not read (see here the PR), but these tokens are static once they are created - the only option there is to delete it. In case you have to add a new package in scope, you have to recreate all of them, which takes a lot of time 😢 .

Comparing with GitHub fine grained tokens, the user experience is far better there: you can regenerate it (here delete and start all over again), select repositories, permissions can be added/removed/edited, and so on.

Thank you.

[leobalter]

We have work in progress to enable cli management for granular tokens. We intended to ship it soon in this quarter.

[horia-stoenescu]

Sure, thanks for the information. Is there a deadline here (env of Nov/start of Dec)?

[leobalter]

It's safer for me to say early December.

[Jason3S]

@leobalter,

I have just finished migrating my 3rd repository to a Trusted Publisher. It is a painful experience since it isn't clear why things would be failing:

• In my first repo, I had gotten 403s and that turned out to be how the workflow was called, see comment above.
• In the second repo, I had gotten 404s, but after moving some steps around, it started working.
• In the third repo, I had copied the steps from the second, but started getting 404s again. Since this repo was pnpm based and the others were npm based, I went down a rabbit hole trying to figure out the issue. The issue had nothing to do with pnpm it was related to the version of npm installed by default. By default, GitHub Workflows for node 22.x install npm version 10.9.4. This version gives 404s when publishing to NPM. Using node 24.x, upgrades npm to version 11.6.2. This version worked.

Some clean documentation on what is needed to publish using a Trusted Publisher would be very helpful. Most of the documentation is out of date.

Do you have any influence on the docs? This one is out of date: Generating provenance statements | npm Docs. It says npm 9.5.0+ should be ok. Yes, that is true for provenance, but not for Trusted Publishers.

[macalbert]

@Jason3S I'm having the same problem here, and there is an existing issue opened related to that: npm/cli#8730

[phun-ky]

tl;dr; Trusted Publishing: author: search doesn't return packages I authored

I'm using Trusted Publishing (OIDC) from GitHub Actions for the @interstellar-tools scope. My npm username is phun-ky.

I noticed that packages published via Trusted Publishing don't show up when querying the registry search API with author:phun-ky, even though I'm the package author in package.json. For example:

• https://registry.npmjs.org/-/v1/search?text=author:phun-ky → does not include packages from @interstellar-tools.
• https://registry.npmjs.org/-/v1/search?text=maintainer:phun-ky → does include them.

One concrete example package is @interstellar-tools/equations. Its package.json author is set to me ("Alexander Vassbotn Røyne-Helgesen [email protected]""), but the author: query doesn't return it. Packages I publish via tokens (outside Trusted Publishing) (some packages that has correct author is also using Trusted Publishing, but I suspect that the tokens are used instead some how) do appear under author:phun-ky.

Questions:

1. Is this the expected behaviour for packages published with Trusted Publishing (i.e., author: matching the CI/publisher identity rather than the package's author field or my npm username)?
2. Is there a way to keep Trusted Publishing (and provenance) while also having my packages discoverable via author:phun-ky?
3. If this is by design, could you point me to the documentation that explains how author: works with Trusted Publishing—or consider updating the docs for clarity?
4. If there's an alternative search qualifier (e.g., a publisher: or similar) that reliably finds these packages, I'd appreciate guidance.

Thanks for your help and for the work you're doing on supply-chain security and provenance.

[riderx]

I'm currently blocked from migrating to Trusted Publisher until it supports org-wide setup.
I currently have more than 100 npm packages, and keep adding 5/10 a month.
Furthermore, I currently have one token in my GitHub org used for all of them.
Moving to a setup by Repo is insane and will destroy my productivity. Plus, it requires a huge setup that I cannot afford now.

This deadline you gave us is insanity.
I will find a way to put my login in the CI/CD job to generate a token if that is the only solution left of this madness.

[datenreisender]

For a setup like yours, the best solution currently probably is to manually generate and store a token every 90 days (~4 times per year).

Not nice, but until npm figures out something better, that seems to be the best.

[riderx]

Yea i will do that and then i will hack my own account to fuck the system who brink no security but mirage or use another registry.

i had enough of them

[IchordeDionysos]

Trusted publishing is the one of the most effective counter measures we can adopt as an industry against the types of attacks we have seen in the NPM ecosystem.

Besides getting rid of (pre-/post-)install scripts.

We should be solving security threats from multiple angles.

[riderx]

Token management is the responsibility of the person who creates it, the same as a a password.
Post-install is the platform's responsibility.
One gets fixed by educating people to be careful with their tokens, the other by fixing the platform,
postinstall problem is already resolved on bun, yarn and soon pnpm.
Only npm is not moving is ass and do stupid stuff outside of they responsibility.

[UlisesGascon]

In the OpenJS Security Collab Space, we recently published a guide on secure npm publishing practices: “Publishing Securely on npm”. It includes sample repos and practical workflows that many open-source maintainers can adopt today.

Below is the quick-reference table from the guide, comparing the three main publishing approaches:

Quick Reference

Approach	Best for	Strengths	Cautions
Local Publish	Small/critical libs	Maximum control, public identity, fewer moving parts	Manual steps; slower for large teams
CI Publish	Multi-maintainer projects	Automation; consistent workflow	Bot opacity, private logs, CI compromise risk
Trusted Publishing	Future adoption	Token-less model, nice UX when hardened	Not yet ready

Key takeaways from our analysis

• Publishing locally with strong personal auth (non-SMS 2FA) remains the most predictable and secure option for many projects today.
• CI-based publishing provides automation and consistency for multi-maintainer teams, but it centralizes risk and the use of shared bot accounts or opaque CI logs can weaken provenance.
• We believe Trusted Publishing is the long-term path forward, but in its current state it would not prevent attacks such as Shai-Hulud and other recent supply-chain compromises.
• GitHub’s token-less model is an important step and we are encouraged by the progress, but it is not yet something we can recommend for high-value or high-risk packages.

Our focus in the guide is helping maintainers choose the publication model that fits both their project scale and their security posture today, while preparing for workflows that will become safer over time.

Happy to discuss details or provide deeper examples if helpful.

[boutell]

This hasn't been explained well.

But as much as I hate to admit it, the deprecation of TOTP aka Google Authenticator actually does make sense:

• The Shai-Hulud attack etc. relied on phishing.
• npm package owners were deceived by websites with deceptively similar URLs that proxied the website and sniffed tokens in transit.
• This defeats both passwords and TOTP because both can be proxied successfully.
• However, passkeys cannot be proxied successfully because the browser itself remembers the domain name and won't provide the passkey on the wrong domain. (*)
• Sure, password managers can't be fooled in this way either, and when used properly you don't even know the passwords so you can't be phished, etc. But, Microsoft cannot force npm package owners to use password managers in this way. They can require passkeys.
• Therefore this is a material improvement.

I'm just glad that 1password supports passkeys, so I don't have to change my workflow and buy deeply into particular OS ecosystems in order to participate.

(*) Public/private key cryptography is involved too. Offhand I'm not sure if that's any additional defense against a proxy. But it doesn't matter, because it's sufficient that the browser remembers the domain and is not fooled into performing the passkey dance on a malicious phishing proxy site.

[riderx]

for once i agree with @ljharb the real problem was and still is the "post install" script.
This change destroyed the workflow of thousand of people for no actual benefits.
they moved the problem to GitHub at best.

[boutell]

Blocking post install has a lot of merit, but wouldn't attackers just move to carrying out their evils at runtime instead?

[riderx]

There is way less chance that runtimes will get anything interesting.
In production you will find nothing personal or you can steal, maybe some apikey but no interest to have them compared to access to a personal machine.
Also i believe runtime injections is harder has you dont know what file etc to do it's less spreadable.
and at local runtime, deno for exemple removed all permissions by default, i do believe node will go that way too, so this is not going to last either.
But i agree it's not zero risk

[DavidBruant]

The worm spread by compromising credentials that were accessible in various environments visible to already compromised packages, which absolutely affected a lot of people who were not phished.

(...)

setting the lifetime for npm login tokens to just 2 hours is both super-annoying and a relevant improvement because it is meaningfully harder to reliably grab publish rights

I don't know how much "meaningfully harder" it is
The worm can install itself on the machine and wait for the next 2-hour token with a variety of techniques (among other things, the worm can alias npm and wait for the next npm login to steal your password and even generate 2-hour tokens at will)
It's certainly harder to write than just getting tokens from a fixed location, but it's not super-hard to write either
The people behind shai-hulud have demonstrated a lot of creativity, i wouldn't be surprised they could do that. They just went for the lowest-hanging fruits. If they continue, they'll move on to the next

I project the 2-hour tokens does slow down the worm spread significantly though
but it does not solves the problem like disabling lifecycle scripts by default would

(And trusted publishing is also a good move forward, but the github action ecosystem has known weaknesses too)

Blocking post install has a lot of merit, but wouldn't attackers just move to carrying out their evils at runtime instead?

It's possible
but my ssh keys aren't accessible from the runtime (i use npm for front-end webdev, my runtime is a web page)
from a compromised webpage, it's also not possible to register my machine as a github runner either

Runtime also has its compartimenting solutions as well

[boutell]

Two-hour sessions are a temporary measure I hope. Mandatory passkey use to actually publish if using a token obtained via npm login would be much less of an imposition for most dev workflows, especially people who are just trying to install private npm modules by logging in. Those people's package vendors are no doubt fleeing to Verdaccio as we speak.

[motdotla]

You can still create classic tokens by navigating to https://www.npmjs.com/settings/USERNAME/tokens/new

They work too. They just aren't listed under your /tokens page.

[motdotla]

Maybe they still need the classic ones for internal tooling 😂

[riderx]

I think it stopped to work :/

[motdotla]

Yeah, looks like it is being redirected now to: /tokens/granular-access-tokens/new

[leobalter]

Thanks for the note here! This link has been updated as well. Any tokens created with it are being removed as well.

[riderx]

@leobalter, please dont do that.
your force everyone to use a system who is broken.
And not solving anything in term of security.
At least if you want to gaslight everyone make the new system work, org wise.
and allow multiple github actions. right now it's not usable.