René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Consider Adopting NPM Trusted Publishing","articleBody":"\u003e ## Overview\n\u003e Recent [supply chain attacks on npm](https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/) have highlighted the need for stronger package publishing security. The September 2025 Shai-Hulud worm compromised 500+ packages through stolen maintainer tokens, showing the risks of token-based publishing.\n\u003e \n\u003e Trusted publishing helps by eliminating long-lived tokens that can be stolen or accidentally exposed; generating automatic provenance provides cryptographic proof of where/how packages are built; and is an industry standard adopted by `PyPI`, `RubyGems`, `crates.io`, `NuGet`, etc...\n\u003e \n\u003e `NPM` is [planning to deprecate legacy tokens](https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/#h-npm-s-roadmap-for-hardening-package-publication) and make trusted publishing the preferred method.\n\u003e \n\u003e ## Reference\n\u003e References:\n\u003e \n\u003e * [NPM trusted publishing documentation](https://docs.npmjs.com/trusted-publishers)\n\u003e * [Announcement blog post](https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/)\n\u003e * [Provenance statements guide](https://docs.npmjs.com/generating-provenance-statements)\n\u003e \n\u003e Inspiration:\n\u003e \n\u003e * [Consider adopting npm trusted publishing microsoft/TypeScript#62499](https://github.com/microsoft/TypeScript/issues/62499)\n","author":{"url":"https://github.com/Cevan00","@type":"Person","name":"Cevan00"},"datePublished":"2025-10-02T17:49:34.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/1978/msgraph-sdk-javascript/issues/1978"}