ajv icon indicating copy to clipboard operation
ajv copied to clipboard
verified publisher icon ajv-validator

Consider adopting npm trusted publishing

Open JamieMagee opened this issue 5 months ago • 0 comments

Recent supply chain attacks on npm have highlighted the need for stronger package publishing security. The September 2025 Shai-Hulud worm compromised 500+ packages through stolen maintainer tokens, showing the risks of token-based publishing.

Trusted publishing helps by eliminating long-lived tokens that can be stolen or accidentally exposed; generating automatic provenance provides cryptographic proof of where/how packages are built; and is an industry standard adopted by PyPI, RubyGems, crates.io, NuGet, etc.

Here's the short version:

  1. Configure a trusted publisher on npmjs.com
  2. Add id-token: write permission to your workflow
  3. Remove NODE_AUTH_TOKEN from your workflow

npm is planning to deprecate legacy tokens and make trusted publishing the preferred method.

Would you consider adopting trusted publishing to help secure the npm ecosystem?

References:

JamieMagee avatar Sep 27 '25 18:09 JamieMagee