NPM token update #2254
Replies: 6 comments 12 replies
-
|
@HyperBrain Hello! We'll see as soon as we have a PR opened. Reading the maximum expiration of 90 days, means you'll have to update it every 90 days? |
Beta Was this translation helpful? Give feedback.
-
|
I think so - until more people notice that this is secure but not really
user friendly .... there is at least a chance that it will be changed again
I hope.
…On Wed, Oct 15, 2025 at 8:56 AM Jérémy Benoist ***@***.***> wrote:
@HyperBrain <https://github.com/HyperBrain> Hello! We'll see as soon as
we have a PR opened.
Reading the maximum expiration of 90 days, means you'll have to update it
every 90 days?
—
Reply to this email directly, view it on GitHub
<#2254 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKEZXVUKDAAZNYGGCWPICT3XXV2ZAVCNFSM6AAAAACJGENWRCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTINRYGM3TENA>
.
You are receiving this because you were mentioned.Message ID:
<serverless-heaven/serverless-webpack/repo-discussions/2254/comments/14683724
@github.com>
|
Beta Was this translation helpful? Give feedback.
-
|
Really strange. I will also check the trust relationship again. For now I
will create a new token and add it
…On Wed, Mar 4, 2026 at 9:44 AM Jérémy Benoist ***@***.***> wrote:
@HyperBrain <https://github.com/HyperBrain> looks like you still need to
update the NPM TOKEN on GitHub settings (security > Secrets and variables >
Actions):
https://github.com/serverless-heaven/serverless-webpack/actions/runs/22661623282/job/65683028140
—
Reply to this email directly, view it on GitHub
<#2254 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKEZXVKC6MHSPI7WOTQFW34O7UHXAVCNFSM6AAAAACJGENWRCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTKOJZGQ4TINA>
.
You are receiving this because you were mentioned.Message ID:
<serverless-heaven/serverless-webpack/repo-discussions/2254/comments/15994944
@github.com>
|
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the update. The token is valid for 90 days. I will try to have a
fix ready by that date.
…On Fri, Mar 6, 2026 at 5:56 PM Jérémy Benoist ***@***.***> wrote:
Publishing went fine:
https://www.npmjs.com/package/serverless-webpack/v/5.15.4
—
Reply to this email directly, view it on GitHub
<#2254 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKEZXVR4EGA4SPXS335GXL4PL7L5AVCNFSM6AAAAACJGENWRCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTMMBSGU3DGNI>
.
You are receiving this because you were mentioned.Message ID:
<serverless-heaven/serverless-webpack/repo-discussions/2254/comments/16025635
@github.com>
|
Beta Was this translation helpful? Give feedback.
-
|
@j0k3r I will add you as maintainer at NPM for serverless-webpack. Can you then try if trusted publishing then works (i.e. if a package update just works without token)? |
Beta Was this translation helpful? Give feedback.
-
|
Finally :) Trusted publishing turned out to be trickier than expected,
…On Fri, Jul 10, 2026 at 9:46 AM Jérémy Benoist ***@***.***> wrote:
Closed #2254 <#2254>
as resolved.
—
Reply to this email directly, view it on GitHub
<#2254?email_source=notifications&email_token=ABKEZXTIRGCD67XUVYIR5XT5ECNMPA5CNFSNUABTM5UWIORPF5TWS5BNNB2WEL2ENFZWG5LTONUW63SFOZSW45B2HJHG65DJMZUWGYLUNFXW4LZSG4YDINZYG6THEZLBONXW5J3NMVXHI2LPN2SWK5TFNZ2KYZTPN52GK4S7MNWGSY3L>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKEZXR5OYNIVMBB7US3JIT5ECNMPAVCNFSNUABGKJSXA33TNF2G64TZHM3DKOBVGYYDAMB3IRUXGY3VONZWS33OHM4TAMRXGU2TNILWAI>
.
You are receiving this because you were mentioned.Message ID:
<serverless-heaven/serverless-webpack/repo-discussions/2254/discussion_event/2704787
@github.com>
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi @serverless-heaven/serverless-webpack-team,
as NPM announced that they will change their token handling to a more restricted mode,
I will create and add a new token (the modern one).
Can you please make sure that this is then used in CI/CD properly?
See: https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/
Thanks
Frank
Beta Was this translation helpful? Give feedback.
All reactions