You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: fern/products/sdks/overview/typescript/publishing-to-npm.mdx
+11-11Lines changed: 11 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -106,10 +106,10 @@ groups:
106
106
107
107
## Configure authentication
108
108
109
-
Choose how you want to authenticate with npmjs when publishing. **OIDC is strongly recommended** for security.
109
+
Choose how you want to authenticate with npmjs when publishing. **OpenID Connect (OIDC) is strongly recommended** for security.
110
110
111
111
<Note>
112
-
**Starting in early 2025**, npmjs.org is deprecating long-lived authentication tokens for publishing from CI/CD workflows. We recommend using OIDC-based authentication.
112
+
**Starting in early 2025**, npmjs.org is deprecating long-lived authentication tokens for publishing from CI/CD workflows. OIDC-based authentication is recommended.
113
113
</Note>
114
114
115
115
<AccordionGroup>
@@ -193,7 +193,7 @@ Common causes:
193
193
194
194
**Private repository limitations**
195
195
196
-
Provenance attestations are not generated for packages published from private repositories, even when using trusted publishing. This is a [known limitation](https://github.blog/changelog/2023-07-25-publishing-with-npm-provenance-from-private-source-repositories-is-no-longer-supported/).
196
+
Provenance attestations aren't generated for packages published from private repositories, even when using trusted publishing. This is a [known limitation](https://github.blog/changelog/2023-07-25-publishing-with-npm-provenance-from-private-source-repositories-is-no-longer-supported/).
197
197
198
198
</Accordion>
199
199
@@ -202,7 +202,7 @@ Provenance attestations are not generated for packages published from private re
**This method is being deprecated by npmjs.org in early 2025.** We strongly recommend using OIDC-based authentication instead. Long-lived authentication tokens can be accidentally exposed in logs, compromised, and are difficult to manage and rotate.
205
+
**This method is being deprecated by npmjs.org in early 2025.** OIDC-based authentication is strongly recommended instead. Long-lived authentication tokens can be exposed in logs, compromised, and are difficult to manage and rotate.
206
206
</Warning>
207
207
208
208
<Steps>
@@ -261,7 +261,7 @@ groups:
261
261
262
262
Your SDK will automatically be published to npmjs when you create a GitHub release with a version tag:
263
263
264
-
1. Create a GitHub release with a version tag (e.g., `v1.0.0`)
264
+
1. Create a GitHub release with a version tag (for example, `v1.0.0`)
265
265
1. The CI workflow will run automatically and publish to npm
266
266
1. View your package on npmjs.com to confirm the new version
267
267
@@ -308,13 +308,13 @@ If you're currently using token-based authentication and need to migrate to OIDC
308
308
309
309
### Why migrate to OIDC
310
310
311
-
npm is implementing trusted publishing to eliminate security risks associated with long-lived tokens, which can be:
311
+
npmjs is implementing trusted publishing to remove security risks associated with long-lived tokens, which can be:
312
312
313
-
- Accidentally exposed in logs or configuration files
313
+
- Exposed in logs or configuration files
314
314
- Compromised and used persistently until manually revoked
315
315
- Difficult to manage and rotate
316
316
317
-
OIDC-based publishing uses short-lived, cryptographically-signed tokens that are specific to your workflow and cannot be extracted or reused.
317
+
OIDC-based publishing uses short-lived, cryptographicallysigned tokens that are specific to your workflow and can't be extracted or reused.
318
318
319
319
### Prerequisites
320
320
@@ -405,10 +405,10 @@ This is the easiest path if you can upgrade to version 3.12.0 or later of the Ty
405
405
406
406
<Accordion title="Path 2: Manual CI workflow update">
407
407
408
-
Use this path if you cannot upgrade the generator or have customized your CI workflow.
408
+
Use this path if you can't upgrade the generator or have customized your CI workflow.
409
409
410
410
**When to use this path:**
411
-
- You cannot upgrade due to breaking changes or bugs
411
+
- You can't upgrade due to breaking changes or bugs
412
412
- You've customized your CI workflow and added it to `.fernignore`
413
413
- Path 1 didn't update your workflow file
414
414
@@ -506,7 +506,7 @@ Use this path if you cannot upgrade the generator or have customized your CI wor
506
506
507
507
After completing either migration path:
508
508
509
-
1. **Trigger a workflow run** by creating a GitHub release with an alpha tag (e.g., `v1.0.0-alpha`)
509
+
1. **Trigger a workflow run** by creating a GitHub release with an alpha tag (for example, `v1.0.0-alpha`)
510
510
2. **Check the workflow logs** to verify the publish step succeeds
511
511
3. **Verify provenance** by visiting your package on [npmjs.com](https://npmjs.com) - you should see a provenance badge
0 commit comments