npm has launched Trusted Publishing with OpenID Connect (OIDC) authentication, allowing secure package publishing from CI/CD workflows without long-lived tokens. This feature uses ephemeral credentials, provides automatic provenance attestations, and eliminates secrets management overhead. Currently supporting GitHub Actions and GitLab CI/CD, it addresses recent supply chain attacks by replacing vulnerable persistent tokens with short-lived, cryptographically-secured credentials that significantly reduce attack surfaces.
Table of contents
Trusted Publishing with OIDC Is Now the Industry Standard #Key Features of npm's Trusted Publishing Implementation #Current Platform Support and Roadmap #Trusted Publishing Mitigates Token Hijacking #Sort: