Recent supply chain attacks on npm have highlighted the need for stronger package publishing security. The September 2025 Shai-Hulud worm compromised 500+ packages through stolen maintainer tokens, showing the risks of token-based publishing.
Trusted publishing helps by eliminating long-lived tokens that can be stolen or accidentally exposed; generating automatic provenance provides cryptographic proof of where/how packages are built; and is an industry standard adopted by PyPI, RubyGems, crates.io, NuGet, etc.
npm is planning to deprecate legacy tokens and make trusted publishing the preferred method.
I know that this repository has a non-standard publishing workflow, which makes adoption trickier than the documentation makes it out. But given that it publishes all @types/* packages I think it would provide a huge uplift and set a good example for the whole Node ecosystem.
References:
Recent supply chain attacks on npm have highlighted the need for stronger package publishing security. The September 2025 Shai-Hulud worm compromised 500+ packages through stolen maintainer tokens, showing the risks of token-based publishing.
Trusted publishing helps by eliminating long-lived tokens that can be stolen or accidentally exposed; generating automatic provenance provides cryptographic proof of where/how packages are built; and is an industry standard adopted by PyPI, RubyGems, crates.io, NuGet, etc.
npm is planning to deprecate legacy tokens and make trusted publishing the preferred method.
I know that this repository has a non-standard publishing workflow, which makes adoption trickier than the documentation makes it out. But given that it publishes all
@types/*packages I think it would provide a huge uplift and set a good example for the whole Node ecosystem.References: