npm Revokes Classic Tokens, as OpenJS Warns Maintainers About OIDC Gaps

The transition from npm's classic tokens to more secure publishing methods has prompted significant discussions within the software development community, particularly around security implications and best practices. GitHub's decision to disable the creation of classic tokens and eventually revoke them entirely by December 2025 aims to enhance security, pushing maintainers towards alternatives like OIDC-based trusted publishing or granular access tokens. However, concerns have arisen over the security gaps and implementation challenges associated with OIDC workflows, as highlighted by experts like Wes Todd. These gaps can expose projects to vulnerabilities, especially in continuous integration (CI) publishing setups, where attackers might exploit workflow triggers and permissions. OpenJS recommends a cautious approach, advising maintainers to choose between local publishing, hardened CI-based publishing, or trusted publishing, based on the criticality of their projects. The broader goal is to shift towards a more secure and auditable publishing process that minimizes risks, even as the ecosystem grapples with the complexity of ensuring that no insecure publishing paths remain available.