Consider Adopting NPM Trusted Publishing

[Cevan00]

Overview

Recent supply chain attacks on npm have highlighted the need for stronger package publishing security. The September 2025 Shai-Hulud worm compromised 500+ packages through stolen maintainer tokens, showing the risks of token-based publishing.

Trusted publishing helps by eliminating long-lived tokens that can be stolen or accidentally exposed; generating automatic provenance provides cryptographic proof of where/how packages are built; and is an industry standard adopted by PyPI, RubyGems, crates.io, NuGet, etc...

NPM is planning to deprecate legacy tokens and make trusted publishing the preferred method.

If assistance is welcome, please let me know and I can assist and/or get
further assistance as needed.

Reference

References:

• NPM trusted publishing documentation
• Announcement blog post
• Provenance statements guide

[Om-singh-ui]

This seems like a sensible direction given the recent supply chain incidents. Eliminating long-lived tokens and enabling provenance would definitely reduce risk around compromised maintainer credentials.

One question: are there any CI/CD or workflow constraints that would make adoption difficult for this repo? For example, migration complexity, required GitHub Actions setup, or impact on current release automation?

If there’s interest, I’d be happy to help test or validate a draft workflow configuration.

[markerikson]

Already did this for RTK. We just haven't published a new version of React-Redux since then, so I haven't pulled over the changes.