[QUESTION/BUG] Is the "90-day expiration" for the granular tokens still enforced?

[oleksandr-danylchenko]

Issue

The banner at the top of the npmjs.com page clearly states that:

Security Update: Classic tokens have been revoked. Granular tokens are now limited to 90 days and require 2FA by default. Update your CI/CD workflows to avoid disruption. Learn more.

However, I can choose an arbitrary date in the future for a new granular token using the npm page 👀

IIRC, previously, right after the security rules update, the dropdown calendar didn't allow selection of anything past the 90 days. The dates appeared as disabled.

Demo

long_living_granular_token_creation_flow.mp4

[PavloSukhinin]

Interesting, the documentation creating and viewing access tokens doesn't specify the 90 days anywhere:

In the Expiration field, select a token expiration period from the dropdown menu. You can choose from predefined options or select Custom to specify a custom expiration date using the date picker.

Note: The date must be at least 1 day in the future.

I was able to create a token that expires Oct 31, 2027. The banner message may be misleading.