Skip to content

fix: Correct timeline for npm OIDC publishing #1569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 29, 2025
Merged

fix: Correct timeline for npm OIDC publishing #1569

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4b0aeb3
Correct timeline for npm OIDC publishing
Swimburger Oct 29, 2025
65e01e5
vale
Swimburger Oct 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions fern/products/sdks/overview/typescript/publishing-to-npm.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ registry](https://www.npmjs.com/). After following the steps on this page,
you'll have a versioned package published on npm.

<Warning title="Already publishing to npm?">
If you're currently using token-based authentication, npmjs is deprecating long-lived tokens in early 2025. See [Migrating from token-based to OpenID Connect (OIDC) publishing](#migrating-from-token-based-to-oidc-publishing) to upgrade to the more secure OIDC authentication.
If you're currently using token-based authentication, npmjs is deprecating long-lived tokens in mid-November 2025. See [Migrating from token-based to OpenID Connect (OIDC) publishing](#migrating-from-token-based-to-oidc-publishing) to upgrade to the more secure OIDC authentication.
</Warning>

<Frame>
Expand Down Expand Up @@ -113,7 +113,7 @@ groups:
Choose how you want to authenticate with npmjs when publishing.

<Warning>
**Starting in early 2025**, npmjs.org is deprecating long-lived authentication tokens for publishing from CI/CD workflows. **OpenID Connect (OIDC) authentication is strongly recommended** for security.
**Starting mid-November 2025**, npmjs.org is deprecating long-lived authentication tokens for publishing from CI/CD workflows. **OpenID Connect (OIDC) authentication is strongly recommended** for security.
</Warning>

<AccordionGroup>
Expand Down Expand Up @@ -205,7 +205,7 @@ Provenance attestations aren't generated for packages published from private rep
<Accordion title="Token-based authentication (Legacy)">

<Warning>
**This method is being deprecated by npmjs.org in early 2025.** Long-lived authentication tokens can be exposed in logs, compromised, and are difficult to manage and rotate. [OIDC-based authentication is strongly recommended instead](#migrating-from-token-based-to-oidc-publishing).
**This method is being deprecated by npmjs.org in mid-November 2025.** Long-lived authentication tokens can be exposed in logs, compromised, and are difficult to manage and rotate. [OIDC-based authentication is strongly recommended instead](#migrating-from-token-based-to-oidc-publishing).
</Warning>

<Steps>
Expand Down