npm
Allow Trusted Publishers to run "npm dist-tag add"
Currently the Trusted Publisher docs indicate that the only supported command is npm publish. For packages that maintain multiple release lines the release process in CI normally looks like:
npm publish --tag=20-x-y- If this is the latest release line
npm dist-tag add my-package@version latest
As an example you can check the dist tags of the electron package on npm. Without this ability we would be unable to switch to Trusted Publisher.
Another option would be an addition to the publish syntax to support npm publish --tag=20-x-y --tag=latest to set multiple tags to this newly published thing
Any chance of getting a response for this one? If this is accepted as a feature, and the workload is currently too heavy, my team and I can get behind in contributing and getting this done.
I found a temporary workaround ish, you can vend the NPM_TOKEN via OIDC yourself through the semi-documented npm API that backs the official support.
https://github.com/electron/npm-trusted-auth-action
@MarshallOfSound did you manage to get this to work? I'm using the electron action and am still getting 401. 😐
Yeah we use it for electron/node-abi if you want to check that out
Thanks, that's useful! Looks like you are using semantic-release. Is that what's calling dist-tag add in the background? I don't actually see any extra tags for node-abi.
dist-tag add is still failing for me for some reason. 😞
@MarshallOfSound it looks like @semantic-release/npm is calling npm publish under the hood. I think the token may be scoped to only support publish because it does not seem to work for dist-tag add.
I would like to add my vote to this. During nascent package development (i.e., where there is no production version), every version published to NPM is tagged with "beta", and my publication script automatically adds "latest" to such deployments as there is no production "latest". This worked until I migrated my project to the Trusted Publisher model. The dist-tag command should be supported.
When this will be fixed? We don't want to re-generate tokens every 90 days and update all repositories. No feedback from the devs team at all. You implement new feature but have no enough brains to make complete analysis of use cases. Sorry for this words, but this is really annoying.
we just spent hours doing the work to switch to OIDC and then we ran into this - we can no longer push updates to our product which is used by 50,000 people every day
this needs to get fixed ASAP
I tried making the necessary API calls directly:
curl \
-H 'user-agent: npm/11.3.0 node/v24.2.0 darwin arm64 workspaces/false' \
-H 'content-type: application/json' \
-H "authorization: Bearer ${NPM_TOKEN}" \
-H 'Accept: */*' \
--compressed \
-H 'connection: keep-alive' \
-Ssf \
-vv \
-X PUT https://registry.npmjs.org/-/package/@rix0rrr%2ftestnpm/dist-tags/bier -d '"1.0.0"'
https://github.com/rix0rrr/testnpm/blob/1c4a439024bb8a8d960018a823fc3acf256d42df/.github/workflows/publish.yml#L91
And all I'm getting in return is 401 with no other explanation. It seems that not only does NPM CLI not support this, the npmjs server doesn't even support it.
< HTTP/2 401
< date: Wed, 10 Dec 2025 14:26:17 GMT
< server: cloudflare
< cf-ray: 9abd6a9bbbebbe62-SJC
< cf-cache-status: DYNAMIC
< www-authenticate: Basic, Bearer
< vary: Accept-Encoding
< set-cookie: _cfuvid=cn8bfj2PF7TXXIWuWwu58ITCgGhyKv2YONSw5whzqzg-1765376777624-0.0.1.1-604800000; path=/; domain=.npmjs.org; HttpOnly; Secure; SameSite=None
curl: (22) The requested URL returned error: 401
Yeah it used to but they closed it all down (which tbf is a good security move) they just haven't solved the feature gap 😓
@leobalter this is a P0 blocker for the largest projects in the npm ecosystem, can we get movement on this, even just a "coming in January".
Why I can publish but unable to set tags? If hacker can publish - he can publish any shit, he will not use tags. This should be obvious for any idiot. When this stupid limitation will be removed?