DEV Community

HichemTech
HichemTech

Posted on

🚨If You Have an npm Package, Read This Before November 2025

#npm #javascript #webdev #programming

In case you missed it, GitHub just announced a major security update for npm that will start rolling out this October and finish by mid-November 2025.
If you maintain or publish npm packages (even small ones) this update will affect you. And if you ignore it, your next CI/CD publish might suddenly stop working.

What’s Happening

GitHub (which owns npm) is tightening authentication rules to protect the ecosystem from supply-chain attacks.
The update has three main parts:

  1. Shorter token lifetimes
  • All new granular tokens will expire after 7 days by default (down from 30).
  • The maximum lifetime is now 90 days — previously it was unlimited :/.
  1. Classic tokens are going away
  • Over the next five weeks, all legacy classic tokens will be revoked.
  • You won’t be able to generate them anymore.
  • They lacked granular permissions and were considered high-risk if compromised.
  1. TOTP 2FA is being phased out
  • You won’t be able to configure new TOTP-based two-factor setups.
  • GitHub is moving toward WebAuthn / passkeys for stronger, phishing-resistant authentication.

By mid-November 2025, the old world of “one permanent token forever” will be gone.

Why These Changes Matter

In the past year, npm faced an uncomfortable wave of phishing attacks and compromised packages.
Several maintainers received realistic emails tricking them into giving up credentials, leading to malicious updates pushed to popular libraries through post-install scripts.
At one point, we saw three major incidents in a single week in past september 2025 — a clear sign that npm’s token system needed an upgrade.

Long-lived tokens were an easy entry point for attackers.
By forcing expiration and rotation, GitHub is limiting the damage a stolen token can cause.
This is a necessary evolution, even if it means extra friction for us developers.

What You Need to Do (Before November 2025)

  1. Stop using classic tokens
  • Generate new granular access tokens with scoped permissions.
  • Update your CI/CD pipelines, GitHub Actions secrets, and local .npmrc files.
  1. Plan for token rotation
  • Tokens now live for a maximum of 90 days.
  • If you publish often, schedule rotation reminders — Google Calendar, Notion, whatever keeps you sane.
  • Don’t wait until your GitHub Actions fail mid-deploy.
  1. Consider trusted publishing (OIDC)
  • GitHub Actions and GitLab CI already support it.
  • No token rotation, better provenance, simpler security.
  1. Stay realistic about grouping tokens
  • You can group related packages or an organization under one token to reduce clutter, but avoid sharing tokens too broadly — compromise in one repo means risk for all.

Looking Ahead

This isn’t just about compliance — it’s about modernizing npm’s security foundation.
Expect more short-lived credentials, WebAuthn enforcement, and OIDC-based publishing in the future.

We’re moving toward a world where tokens won’t live long enough to be stolen, and where publishing relies on temporary, verifiable credentials from your CI provider.
Yes, it’s one more thing to manage — but it’s also the thing keeping millions of developers safe.

These new npm rules might feel strict, but they’re long overdue — and the sooner you adapt, the smoother your builds will be when November hits.

Top comments (0)