Consider Adopting NPM Trusted Publishing

[Cevan00]

Overview

Recent supply chain attacks on npm have highlighted the need for stronger package publishing security. The September 2025 Shai-Hulud worm compromised 500+ packages through stolen maintainer tokens, showing the risks of token-based publishing.

Trusted publishing helps by eliminating long-lived tokens that can be stolen or accidentally exposed; generating automatic provenance provides cryptographic proof of where/how packages are built; and is an industry standard adopted by PyPI, RubyGems, crates.io, NuGet, etc...

NPM is planning to deprecate legacy tokens and make trusted publishing the preferred method.

If assistance is welcome, please let me know and I can assist and/or get further assistance as needed.

Reference

References:

• NPM trusted publishing documentation
• Announcement blog post
• Provenance statements guide

[fatso83]

Hi, we have long since wanted to do this, and we were approached by @elliot-huffman last year on that topic. We had some initial promising chats, but then it all went dark, so I have no idea what happened to that effort. Quite strange.

Sinon often pops up in dev dependencies, so by doing this one could strengthen many build pipelines against supply chain attacks.

Someone just needs to put in the effort, and I am only in Ada, C and Python environments in my current gig, so it won't be me.

[elliot-huffman]

Sorry about that, my bad. I am totally happy to help out. Chase reports to me. I'm trying to restart that process.

[Cevan00]

I will sync with Elliot on a game plan.

I must have missed the previous discussion on this, my apologies.