Securing Your NPM Publishing: Transitioning to Trusted Publishing

In response to recent supply chain attacks, the npm ecosystem has implemented significant security changes, particularly concerning authentication tokens. Starting in October, newly created write-enabled granular access tokens will expire after seven days by default, with a maximum lifespan of 90 days. Additionally, npm will revoke all existing legacy tokens and disable their future generation. To enhance security and simplify the publishing process, transitioning to Trusted Publishing using OpenID Connect (OIDC) is recommended, as it eliminates token rotation and provides automatic provenance attestation. The process involves updating GitHub workflow permissions and configuring trusted publishing settings on npm, which, despite requiring initial setup, promises long-term benefits in terms of security and maintenance.