npm Trusted Publishing with OIDC is generally available — safer CI/CD publishing for JavaScript packages

Key update

npm (via the GitHub/npm platform) has made "Trusted Publishing" with OpenID Connect (OIDC) generally available. CI systems can now publish packages without embedding long‑lived npm tokens: you configure your registry to accept short‑lived OIDC assertions from specific GitHub Actions/GitLab CI workflows or other OIDC‑capable runners, and the registry issues a transient publish credential for that workflow run.

Why it matters

This is one of the most practical, deployment‑level improvements to JavaScript supply‑chain security in years. Long‑lived automation tokens are a frequent root cause when CI/CD secrets are leaked or attackers pivot from a compromised runner into package publishing; switching to OIDC removes that persistent credential from your pipelines and makes automated publishes far harder to abuse. For development teams and platform engineers the immediate, high‑value actions are straightforward to plan and low friction to test: migrate publish jobs to OIDC‑enabled workflows, update package/organization publish settings to trust only those workflows, rotate and retire existing npm tokens used only by CI, and keep interactive 2FA enforced for human publish actions. This reduces the blast radius of stolen CI credentials and complements other defenses (SBOMs, sigstore/Sigstore provenance, secret‑scanning, and strict 2FA policies) — but it does not eliminate the need to secure maintainer accounts and guard against phishing. If you publish packages from CI, prioritize a staged migration in the next sprint: convert a single pipeline to OIDC, verify artifact provenance and automated publishes, then remove the token from your secrets store and repeat for remaining pipelines.

Source

• Source