From 6bce06d8fadd05e1217d8c9ac35b1fefcd2c988e Mon Sep 17 00:00:00 2001 From: Leo Balter <301201+leobalter@users.noreply.github.com> Date: Fri, 29 Aug 2025 13:43:29 -0700 Subject: [PATCH 1/6] Enhance security recommendations for trusted publishers --- .../securing-your-code/trusted-publishers.mdx | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx index ae5b873ebd5..0b6bde55d2e 100644 --- a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx +++ b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx @@ -148,6 +148,37 @@ The `id_tokens` configuration tells GitLab to generate an OIDC token for npm. Le You can modify or remove your trusted publisher configuration at any time through your package settings on [npmjs.com](https://npmjs.com). Each package can only have one trusted publisher connection at a time, but this connection can be edited or deleted as needed. To change providers (for example, switching from GitHub Actions to GitLab CI/CD), simply edit your existing configuration and select the new provider. The change takes effect immediately for future publishes. To remove trusted publishing entirely and return to token-based authentication, delete the trusted publisher configuration from your package settings. +## Recommended: Restrict token access when using trusted publishers + +Once you've configured trusted publishers for your package, we strongly recommend restricting traditional token-based publishing access for enhanced security. + +### How to configure maximum security + +1. After enabling trusted publishers, navigate to your package's **Settings** → **Publishing access** +2. Select **"Require two-factor authentication and disallow tokens"** +3. Save your changes + +This configuration: +- **Allows** publishing through trusted publishers (OIDC) +- **Blocks** all personal access tokens and automation tokens +- **Reduces** the risk of unauthorized publishing +- **Maintains** your automated CI/CD workflows through GitHub Actions or GitLab. + +### Why this matters + +Trusted publishers use short-lived, scoped credentials that are generated on-demand during your CI/CD workflow, eliminating the need for long-lived tokens. By restricting traditional token access while using trusted publishers, you reduce potential security risks associated with credential management. + +**Note:** The "disallow tokens" setting only affects traditional token authentication. Your trusted publishers will continue to work normally, as they use OIDC tokens. + +### Migration tip + +If you're transitioning from token-based publishing: +1. Set up trusted publishers first and verify they work +2. Then restrict token access as described above +3. Revoke any existing automation tokens that are no longer needed + +This ensures a smooth transition without disrupting your release process. + ## Automatic provenance generation When you publish using trusted publishing, npm automatically generates and publishes [provenance attestations](./generating-provenance-statements) for your package. This happens by default—you don't need to add the `--provenance` flag to your publish command. From 4155e55a048c1d0f1b96d2b490d18e9ed69f5931 Mon Sep 17 00:00:00 2001 From: Leo Balter <301201+leobalter@users.noreply.github.com> Date: Tue, 2 Sep 2025 12:39:47 -0700 Subject: [PATCH 2/6] Update content/packages-and-modules/securing-your-code/trusted-publishers.mdx Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../securing-your-code/trusted-publishers.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx index 0b6bde55d2e..67708914a44 100644 --- a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx +++ b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx @@ -162,7 +162,7 @@ This configuration: - **Allows** publishing through trusted publishers (OIDC) - **Blocks** all personal access tokens and automation tokens - **Reduces** the risk of unauthorized publishing -- **Maintains** your automated CI/CD workflows through GitHub Actions or GitLab. +- **Maintains** your automated CI/CD workflows through GitHub Actions or GitLab CI/CD. ### Why this matters From f31f31495ac5a0711a8e8a973f41052a268bceb5 Mon Sep 17 00:00:00 2001 From: Leo Balter <301201+leobalter@users.noreply.github.com> Date: Tue, 2 Sep 2025 12:39:58 -0700 Subject: [PATCH 3/6] Update content/packages-and-modules/securing-your-code/trusted-publishers.mdx MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Peter Stöckli --- .../securing-your-code/trusted-publishers.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx index 67708914a44..221949a8347 100644 --- a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx +++ b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx @@ -156,7 +156,7 @@ Once you've configured trusted publishers for your package, we strongly recommen 1. After enabling trusted publishers, navigate to your package's **Settings** → **Publishing access** 2. Select **"Require two-factor authentication and disallow tokens"** -3. Save your changes +3. Save your changes by clicking on **Update Package Settings** This configuration: - **Allows** publishing through trusted publishers (OIDC) From 617e979fabb4214a7e97e54004a16d2efc6d4976 Mon Sep 17 00:00:00 2001 From: Leo Balter <301201+leobalter@users.noreply.github.com> Date: Tue, 2 Sep 2025 12:49:12 -0700 Subject: [PATCH 4/6] Apply feedback --- .../securing-your-code/trusted-publishers.mdx | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx index 221949a8347..5892e67b4a4 100644 --- a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx +++ b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx @@ -158,12 +158,6 @@ Once you've configured trusted publishers for your package, we strongly recommen 2. Select **"Require two-factor authentication and disallow tokens"** 3. Save your changes by clicking on **Update Package Settings** -This configuration: -- **Allows** publishing through trusted publishers (OIDC) -- **Blocks** all personal access tokens and automation tokens -- **Reduces** the risk of unauthorized publishing -- **Maintains** your automated CI/CD workflows through GitHub Actions or GitLab CI/CD. - ### Why this matters Trusted publishers use short-lived, scoped credentials that are generated on-demand during your CI/CD workflow, eliminating the need for long-lived tokens. By restricting traditional token access while using trusted publishers, you reduce potential security risks associated with credential management. @@ -175,7 +169,7 @@ Trusted publishers use short-lived, scoped credentials that are generated on-dem If you're transitioning from token-based publishing: 1. Set up trusted publishers first and verify they work 2. Then restrict token access as described above -3. Revoke any existing automation tokens that are no longer needed +3. [Revoke any existing automation tokens](https://docs.npmjs.com/revoking-access-tokens) that are no longer needed This ensures a smooth transition without disrupting your release process. From 34b176295ec3a0e114531ecd82a1af5904e30427 Mon Sep 17 00:00:00 2001 From: Leo Balter <301201+leobalter@users.noreply.github.com> Date: Wed, 3 Sep 2025 08:12:48 -0700 Subject: [PATCH 5/6] Update content/packages-and-modules/securing-your-code/trusted-publishers.mdx Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../securing-your-code/trusted-publishers.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx index 5892e67b4a4..1224fd7c7a5 100644 --- a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx +++ b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx @@ -155,7 +155,7 @@ Once you've configured trusted publishers for your package, we strongly recommen ### How to configure maximum security 1. After enabling trusted publishers, navigate to your package's **Settings** → **Publishing access** -2. Select **"Require two-factor authentication and disallow tokens"** +2. Select **"Require two-factor authentication and disallow tokens"** 3. Save your changes by clicking on **Update Package Settings** ### Why this matters From d898c6187a1a79781641e389ebfc329fe3e9cb5f Mon Sep 17 00:00:00 2001 From: Leo Balter <301201+leobalter@users.noreply.github.com> Date: Wed, 3 Sep 2025 14:24:37 -0700 Subject: [PATCH 6/6] fix lint --- .../securing-your-code/trusted-publishers.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx index 1224fd7c7a5..0b88329077f 100644 --- a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx +++ b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx @@ -167,6 +167,7 @@ Trusted publishers use short-lived, scoped credentials that are generated on-dem ### Migration tip If you're transitioning from token-based publishing: + 1. Set up trusted publishers first and verify they work 2. Then restrict token access as described above 3. [Revoke any existing automation tokens](https://docs.npmjs.com/revoking-access-tokens) that are no longer needed