npm recently announced that classic npm tokens are being deprecated and revoked. Everyone has to migrate to granular tokens, which come with an expiration date (and for publish/write use cases, that effectively means regular rotation).
And, strangely, in the UI there isn’t even an option to renew a token. You basically have to create a new token (and delete the old one) every time.
I maintain a few packages on GitHub, and my first thought was: “Do I really have to do this every 90 days just to keep publishing working?” That would be a little nightmare.
But after reading the announcement and docs, I found there are two major things you can do to make your life easier.
1) Use the CLI to manage tokens
There’s a CLI for managing tokens, so you can set up a script to rotate them automatically — something like:
npm run renew-token
This way, you don’t have to click around the npm website every time.
2) Use OIDC (Trusted Publishing) from GitHub/GitLab
If your workflow runs on GitHub Actions or GitLab CI/CD, you can use OpenID Connect (OIDC) for an even more secure way to authenticate when your workflow publishes a package.
This is zero maintenance once it’s set up: you don’t store a long-lived token at all. Instead, you link your package to an official repository + workflow file, and npm will accept the publish if it comes from that trusted source.
Now I’m happy again — and my setup is even simpler and more secure than it was before :)
I hope this helped. Have a great day!
Top comments (0)