This week, GitHub rolled out a major security update for the npm registry, aimed at making it safer from supply chain attacks. The update involves revoking a type of token called “classic” or “long-lived” tokens, which many developers have used for years to authenticate their package publishing and installations. Moving forward, developers need to switch to newer, more secure authentication methods to keep working smoothly.

What Changed and Why

On December 9, GitHub officially removed all classic tokens that didn’t have an expiration date. These tokens allowed developers to authenticate without any time limit, which made them vulnerable if compromised. The move is part of a broader effort to improve security after a spike in supply chain attacks, such as the September Shai-Hulud worm incident that infected hundreds of npm packages by hacking developer accounts.

By revoking these old tokens, GitHub aims to raise the security bar across the ecosystem. They now encourage developers to use granular access tokens (GATs), which have limited scope and shorter lifespans, or to switch to a new automated publishing system based on OpenID Connect (OIDC) and OAuth 2.0. This is designed to make it harder for bad actors to compromise accounts and insert malicious code into packages.

How This Affects Developers

For developers, the change is quite significant. Any automated process that uses a classic token to run commands like npm publish or npm install will now get a “401 Unauthorized” error. Generating new classic tokens without an expiration date is no longer possible. Developers must now use granular tokens, which will continue to work until February 3, 2026. After that date, these tokens will also have to be rotated every 90 days.

In larger organizations with many packages and teams, this means a lot of work. They will need to audit existing tokens, revoke old ones, and set up new ones with proper expiration dates. This process can be time-consuming, especially for teams managing hundreds of packages across multiple projects.

Some security experts believe these changes don’t go far enough. The OpenJS Foundation recently criticized GitHub’s move to a tokenless OIDC security model. They argue that since attackers often get into developer accounts, adding multi-factor authentication (MFA) should be a priority. Currently, npm doesn’t enforce MFA for smaller developer accounts, and OIDC doesn’t require it either. This leaves some security gaps that need addressing in the future.

Overall, the move to revoke classic tokens is a step toward a safer npm ecosystem, but developers will need to adapt quickly. Embracing shorter-lived tokens and new authentication methods will be key to maintaining smooth workflows and keeping packages secure.

Inspired by

• https://www.infoworld.com/article/4104520/did-your-npm-pipeline-break-today-check-your-classic-tokens.html

Sources

• github.blog
• github.blog
• csoonline.com
• openjsf.org
• csoonline.com