npm classic tokens revoked — urgent migration checklist for full‑stack teams
What happened (short): GitHub’s npm registry completed a planned security hardening on December 9, 2025 — all legacy “classic” npm tokens were permanently revoked, session‑based auth for local logins was introduced, and CLI support for creating/managing granular access tokens landed. This breaks any workflows that still rely on long‑lived classic tokens (CI secrets, baked images, deploy scripts, internal tooling). (github.blog)
Why this matters for full‑stack teams
- Publishing/pipeline outages: CI jobs that inject a classic NPM_TOKEN will now fail with authentication errors, often silently in release flows. (github.blog)
- Increased rotation & 2FA discipline: Granular write tokens are short‑lived by default and enforce stronger 2FA/Bypass rules for automation — you need token rotation/attestation or OIDC-based publishing. (github.blog)
- Hidden credentials: Tokens baked into container images, build caches, or developer machines stop working and may need remediation across many places (images, cloud secrets, ~/.npmrc). (github.blog)
What to do now — prioritized checklist (run this today)
- Triage: find all uses of classic npm tokens
- Search GitHub/GitLab/CI secrets for NPM_TOKEN, npmrc files, Dockerfiles, and build scripts. Don’t forget self‑hosted runners and cloud images. This is the single highest‑impact step. (github.blog)
- Restore CI publishing (quick recovery)
- If you publish from GitHub Actions or GitLab, adopt “Trusted Publishing” / OIDC where supported — it eliminates stored long‑lived tokens by issuing short credentials per workflow run. If OIDC isn’t possible, create a granular access token with the minimal required scopes and enable the CI “Bypass 2FA” option for that token. Test a rehearsal publish. (github.blog)
- Rotate secrets and images
- Replace any NPM_TOKEN secrets with new granular tokens or shift to OIDC. Rebuild and redeploy any container images or VM images that contained classic tokens. Audit CI logs for 401/403 failures after rotation. (github.blog)
- Local developer workflow updates
- Educate engineers:
npm loginnow produces short (2‑hour) sessions for interactive publishing; for long‑running local tasks use granular tokens or adopt dev-time OIDC where available. Remove long‑lived tokens from ~/.npmrc. (github.blog)
- Update tooling & registries
- Private registry/proxy appliances: confirm they support granular tokens and session auth. If you rely on older package managers (Yarn v1/v2), note that a legacy endpoint was temporarily restored during rollout — plan an upgrade because that compatibility layer is short‑lived. (github.blog)
- Automate rotation & least privilege
- Implement token rotation policies (automated renewal or short TTLs), restrict token scopes to “publish only” or read‑only where possible, and enforce least privilege on package and org level. Integrate rotation into your secret manager (Secrets Manager, Vault, GitHub Secrets + OIDC). (github.blog)
- Post‑migration validation
- Run full publish dry‑runs from CI and from local dev machines. Confirm
npm publish,npm pack, andnpm dist-tagwork as expected and that package provenance (when available) is recorded by Trusted Publishing/OIDC.
Quick remediation playbook (minimal commands/steps)
- Audit: grep/secret-scan for NPM_TOKEN across repos and images.
- CI: switch publish jobs to use OIDC (GitHub Actions: configure id-token permissions + trusted publisher in npm settings) or create a granular token with the exact scopes + Bypass 2FA for CI only. (github.blog)
- Local: instruct devs to run
npm loginand remove legacy tokens from ~/.npmrc; prefer ephemeral sessions or per‑task granular tokens. (github.blog)
Operational gotchas and traps
- Monorepos and workspace scripts commonly reuse a single token — rotating that one secret can blow up dozens of packages at once. Stagger rollout with a rehearsed publish. (github.blog)
- CI images or build caches embedding tokens must be rebuilt; otherwise pipelines will fail even after secret rotation. (github.blog)
- Some third‑party services or old tooling might still expect classic tokens; vendor‑by‑vendor checks are necessary. (github.blog)
Why this is worth the effort The change materially reduces the blast radius from leaked long‑lived credentials, forces better automation hygiene (OIDC/trusted publishing), and aligns the npm registry with stronger, modern authentication patterns — but it requires immediate operational work for teams that still depend on legacy tokens. (github.blog)
Further reading (official changelog)
Source
Read Next
Chrome 143 changes FedCM: structured ID assertions, stricter client metadata, and breaking API updates
January 31, 2026Chrome 143 (published Jan 12, 2026) changes the FedCM identity flow: ID assertion tokens can be structured JSON, client_metadata validation is enforced, and several API fields move/rename — migration required before Chrome 145.
Undici CVE-2026-22036: unbounded decompression chain allows resource exhaustion — patches released
January 30, 2026A Jan 14, 2026 security advisory for undici (the Node.js HTTP client) describes an unbounded decompression-chain vulnerability that can lead to high CPU and memory usage. Full‑stack teams must find and upgrade affected undici versions and add lightweight runtime protections.
React Router / Remix Patch CSRF Vulnerability in Server Actions (CVE-2026-22030)
January 29, 2026React Router and @remix-run/server-runtime patched a medium-severity CSRF issue affecting server-side action handlers and unstable React Server Actions — what full‑stack teams must check and patch now.