msgraph-sdk-javascript icon indicating copy to clipboard operation
msgraph-sdk-javascript copied to clipboard
verified publisher icon microsoftgraph

Consider Adopting NPM Trusted Publishing

Open Cevan00 opened this issue 2 months ago • 0 comments

Overview

Recent supply chain attacks on npm have highlighted the need for stronger package publishing security. The September 2025 Shai-Hulud worm compromised 500+ packages through stolen maintainer tokens, showing the risks of token-based publishing.

Trusted publishing helps by eliminating long-lived tokens that can be stolen or accidentally exposed; generating automatic provenance provides cryptographic proof of where/how packages are built; and is an industry standard adopted by PyPI, RubyGems, crates.io, NuGet, etc...

NPM is planning to deprecate legacy tokens and make trusted publishing the preferred method.

Reference

References:

Inspiration:

Cevan00 avatar Oct 02 '25 17:10 Cevan00