Promote npm trusted publisher

[sxzz]

Motivation

npm Trusted Publishing is now generally available, allowing package owners to publish npm packages via CI without manually generating npm tokens. This method greatly reduces the risk of token leaks, which has been a recurring issue in the past. For more details, see:

• https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/
• https://docs.npmjs.com/trusted-publishers/

Current Status

I've added a provenance tab to node-modules-inspector, where you can view the provenance status of all my packages: https://pkg.sxzz.dev/grid/provenance

Some packages have provenance enabled but are not yet using Trusted Publishing, including:

• Vue / Vite, /cc @yyx990803 @edison1105 @patak-dev @sapphi-red
• Nuxt, /cc @danielroe
• Vitest / UnoCSS / Shiki / VueUse / Slidev, /cc @antfu @sheremet-va @zyyv
  • Vitest
  • UnoCSS
  • Shiki ci: use oidc for npm publish & codecov shikijs/shiki#1068
  • VueUse
  • Slidev
• Rolldown, /cc @hyf0
• Oxc by @Boshen
• tinyexec by @43081j
• tinyglobby by @SuperchupuDev
• publint by @bluwy
• eslint-plugin-import-x / unrs-resolver / synckit by @JounQin
• List of the most popular npm packages: https://github.com/sxzz/npm-top-provenance

Migration

Note

This proposal applies only to packages already published via CI. If your package does not yet use CI for publishing, you will need to set up CI workflows before migrating to Trusted Publishing.

Migrating is straightforward for packages already published via CI:

1. Connect your GitHub repository to your existing npm package at https://www.npmjs.com/package/<your-package>/access
2. Upgrade npm to the latest version (11.5.1+) if you're using npm or pnpm.
3. Safely remove npm tokens
4. [optional] Disallow tokens and trusted publishing will still work

For reference, see this example commit:

  - name: Publish to NPM
-   run: npm publish
+   run: npm i -g npm@latest && npm publish # or pnpm publish
-   env:
-     NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
-     NPM_CONFIG_PROVENANCE: true

I also wrote a reusable workflow: https://github.com/sxzz/workflows/blob/main/examples/release.yml

Automation

Anthony created a tool that lets you open the settings pages for all your monorepo packages at once.

I’ve also developed a userscript that automatically fills in repository information on the trusted publisher form (using the required repository field from package.json) and enables 2FA by default. You can install it using Tampermonkey or Violentmonkey. Thanks to @antfu for the inspiration!

Tip

If you maintain a large monorepo, connecting all packages can be time-consuming, and the user experience is currently lacking. I tried to write a script to automate repository connections, but was blocked by Cloudflare verification. Hopefully, npm will offer this feature via API in the future.

Read more

• https://bsky.app/profile/sxzz.dev/post/3lvne6sp7bs2t
• https://bsky.app/profile/chenjiahan.bsky.social/post/3lvlihvphvk2e

[posva]

Why is the npm i -g npm? Is it to get the latest version of npm? Isn’t this done at the image or action level?

[sxzz]

@posva The built-in npm updates alongside Node.js. Currently, Node.js LTS is at v22.18, which comes with npm v10.9.3. However, Trusted Publisher requires npm version 11.5.1 or higher. Do you have any effective solutions for upgrading or managing npm version on CI?

[JounQin]

I haven't migrated due to changesets/changesets#1152 (comment)

---

Update: set env NPM_TOKEN: '' is the workaround

[outslept]

@sxzz You should be able to use (will get you 11.5.2 currently)

 - name: Update npm
   run: npm install -g npm@latest

So there shouldn't be a need to tie to pnpm

[posva]

I don’t have a better solution. I thought there would be a different way to upgrade. It looks funny because after it, it uses pnpm 🤪 some might think it’s a typo

I would like to use this method of publishing too. Mono repos need some extra configuration

[sxzz]

@outslept Not tied to any specific package manager; pnpm is used here merely as an example.

[sxzz]

@posva Both Yarn and pnpm actually use npm for publishing packages, so the versions of Yarn or pnpm are essentially irrelevant.

[SuperchupuDev]

tinyglobby enabled trusted publishing as soon as it could for its next version SuperchupuDev/tinyglobby@b85c139

since ci installs node 24, the right npm version is automatically used and there's no need to manually install it

[SuperchupuDev]

FYI after enabling trusted publishing, you can restrict publishing access to disallow all tokens and trusted publishing will still work, we talked about it in e18e (thread link) and @dominikg tested that it works

[wesleytodd]

While provenance is not "bad" (other than being vendor leverage to signal security when it is actually just security theater), please include a call out that provenance is worthless without 2fa in your publishing workflows. Which is a feature github has no support for. As it stands, a maintainer with good hygiene and forced 2fa on a package is much more effective protection than a CI publish with provenance, especially if you can reproduce the build.

see our discussion with a bit more nuance here: https://bsky.app/profile/notwes.bsky.social/post/3lwgx6llchc2o

[sxzz]

@SuperchupuDev Thanks for your tips! Updated migration guidance.