Skip to content

Consider adopting npm trusted publishingΒ #7384

New issue
New issue
Open
Open
Consider adopting npm trusted publishing#7384
Labels
feature-requestNew feature or enhancement. May require GitHub community feedback.p2This is a standard priority issuequeuedThis issues is on the AWS team's backlog
@JamieMagee

Description

@JamieMagee
JamieMagee
opened on Sep 28, 2025

Describe the feature

Recent supply chain attacks on npm have highlighted the need for stronger package publishing security. The September 2025 Shai-Hulud worm compromised 500+ packages through stolen maintainer tokens, showing the risks of token-based publishing.

Trusted publishing helps by eliminating long-lived tokens that can be stolen or accidentally exposed; generating automatic provenance provides cryptographic proof of where/how packages are built; and is an industry standard adopted by PyPI, RubyGems, crates.io, NuGet, etc.

Use Case

npm is planning to deprecate legacy tokens and make trusted publishing the preferred method.

Would you consider adopting trusted publishing to help secure the npm ecosystem?

References:

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

SDK version used

N/A

Environment details (OS name and version, etc.)

N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature-requestNew feature or enhancement. May require GitHub community feedback.p2This is a standard priority issuequeuedThis issues is on the AWS team's backlog

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions