Consider adopting npm trusted publishing

[JamieMagee]

Recent supply chain attacks on npm have highlighted the need for stronger package publishing security. The September 2025 Shai-Hulud worm compromised 500+ packages through stolen maintainer tokens, showing the risks of token-based publishing.

Trusted publishing helps by eliminating long-lived tokens that can be stolen or accidentally exposed; generating automatic provenance provides cryptographic proof of where/how packages are built; and is an industry standard adopted by PyPI, RubyGems, crates.io, NuGet, etc.

npm is planning to deprecate legacy tokens and make trusted publishing the preferred method.

I know that this repository has a non-standard publishing workflow, which makes adoption trickier than the documentation makes it out. But given that it publishes all @types/* packages I think it would provide a huge uplift and set a good example for the whole Node ecosystem.

References:

• npm trusted publishing documentation
• Announcement blog post
• Provenance statements guide

[jakebailey]

Unless they provide some mechanism to do OIDC for an entire scope, I don't really know how this is going to be feasible. We absolutely cannot go through the UI flow to grant publish permissions for thousands of packages.

[jakebailey]

I'll note that the proposed changes massively hurt our ability to do anything at all. I don't even think there's an endpoint to do token rotation.

[Cevan00]

@jakebailey Have you considered reaching out to npm support for assistance? Given that all of the projects are under the Microsoft umbrella, it may be possible to coordinate efforts more effectively.

[jakebailey]

Yes, we are talking with them though multiple channels.