npm Classic Tokens Are Gone: Two Low-Maintenance Ways to Keep Publishing

Source: Dev.to

Background

npm recently announced that classic npm tokens are being deprecated and revoked. Everyone must migrate to granular tokens, which include an expiration date. For publish/write use cases, this effectively means regular rotation.

In the UI there isn’t even an option to renew a token—you have to create a new token (and delete the old one) each time.

Two Low‑Maintenance Ways to Keep Publishing

1. Automate token rotation with the npm CLI

You can script token creation and revocation, then run it on a schedule (e.g., every 90 days). A simple example:

# renew-token.sh
# Create a new token with publish permissions
npm token create --read-write --expires=90d

# (Optional) Delete the old token if you have its ID
# npm token revoke 

Add a script entry to your package.json:

{
  "scripts": {
    "renew-token": "bash renew-token.sh"
  }
}

Run it with:

npm run renew-token

This eliminates the need to click around the npm website each time a token expires.

2. Use OpenID Connect (OIDC) in CI/CD

If your workflow runs on GitHub Actions, GitLab CI/CD, or another OIDC‑compatible platform, you can authenticate to npm without storing a long‑lived token.

1. Link your package to the repository and workflow file in the npm settings.
2. Configure OIDC in your CI/CD pipeline to request a short‑lived identity token.
3. Publish using the npm publish command; npm will accept the publish if it originates from the trusted source.

This approach is zero‑maintenance after the initial setup and provides stronger security because no persistent token is stored.

Conclusion

By either automating token rotation with the npm CLI or leveraging OIDC in your CI/CD pipelines, you can keep publishing packages without the hassle of manual token management. Both methods simplify your workflow and improve security.