react-testing-library icon indicating copy to clipboard operation
react-testing-library copied to clipboard
verified publisher icon testing-library

Consider Adopting NPM Trusted Publishing

Open Cevan00 opened this issue 2 months ago ā€¢ 3 comments

Overview

Recent supply chain attacks on npm have highlighted the need for stronger package publishing security. The September 2025 Shai-Hulud worm compromised 500+ packages through stolen maintainer tokens, showing the risks of token-based publishing.

Trusted publishing helps by eliminating long-lived tokens that can be stolen or accidentally exposed; generating automatic provenance provides cryptographic proof of where/how packages are built; and is an industry standard adopted by PyPI, RubyGems, crates.io, NuGet, etc...

NPM is planning to deprecate legacy tokens and make trusted publishing the preferred method.

If assistance is welcome, please let me know and I can assist and/or get further assistance as needed.

Reference

References:

Cevan00 avatar Oct 22 '25 00:10 Cevan00

Sir i would like to work on this issue can you please assign to me.

Subham-KRLX avatar Nov 06 '25 10:11 Subham-KRLX

Hi, Iā€™d like to help with adopting NPM Trusted Publishing. Could you please confirm if this is open for contribution?

manu-bitt avatar Nov 10 '25 12:11 manu-bitt

Yes, as long as it gets implemented šŸ™‚

Cevan00 avatar Nov 10 '25 23:11 Cevan00