Overview
- GitHub will restrict npm publishing to three paths: local releases with required 2FA, granular tokens capped at seven days, or trusted publishing.
- Legacy classic tokens and TOTP 2FA will be deprecated, tokens will be disallowed for publishing by default, and local publishing will no longer permit a 2FA bypass.
- More than 500 compromised packages tied to the Shai‑Hulud worm have been removed, and npm now blocks uploads matching the malware’s indicators of compromise.
- Trusted publishing uses short‑lived OIDC credentials and produces provenance attestations that let consumers verify a package’s source and build environment.
- GitHub will roll out changes gradually with migration support and plans to expand eligible CI/CD providers, as some maintainers raise concerns about delegated authorization risks.