Comprehensive guide to securing npm package publishing workflows in response to recent supply chain attacks. Covers eliminating access tokens in favor of OIDC Trusted Publishers, implementing 2FA requirements, using password managers, pinning GitHub Actions dependencies, checking in lock files, and restricting publishing access. Includes detailed security checklist with specific configuration steps for GitHub and npm, plus additional recommendations like immutable releases and package manager cooldowns.
Sort: