January 7, 2026
From sandworms to speed bumps
NPM to implement staged publishing after turbulent shift off classic tokens
Speed bumps after token turmoil; devs split between relief, rage
TLDR: npm will add a review step with multi-factor approval before releases go live to slow supply chain hacks. The community is split: some welcome the safety pause, others blast “trusted publishing” limits, vendor lock-in vibes, and a CLI that still fumbles two-factor — cue drama and debate.
npm says it’s adding a review pit stop before packages go live — think a registry “Are you sure?” screen with MFA (multi-factor approval) — after the Shai-Hulud supply chain attacks turned the JavaScript world into a Dune sequel. The move follows the messy breakup with “classic tokens,” and the community brought popcorn. One camp cheers the brakes: “speed bumps save lives,” arguing automation needs a human checkpoint. Another camp? Furious. Commenters like woodruffw call “trusted publishing” too narrow, tied to a few build systems (CI means automated pipelines) and unable to handle first releases. A top maintainer, spankalee, described manually combing through changes across dozens of packages — tension so thick you could cut it with a semicolon. The spiciest hot take: m4rtink wants to ditch language package managers entirely and go back to old-school distro repositories. Meanwhile, lloydatkinson accuses npm of “reverse vendor lock-in,” and herpdyderp says the CLI (command-line tool) still can’t do 2FA, making “security” feel like a glitch. The meme energy? “npm adds a nightclub bouncer with a 2FA stamp.” Love it or hate it, staged publishing is the internet’s new speed check — and everyone’s arguing whether it’s a lifesaver or a traffic jam. Check the vibe at npm.
Key Points
- •npm plans staged publishing, adding a registry-level review window that requires MFA-verified approval before packages go live.
- •The initiative responds to 2025’s supply chain threats, particularly the multi-wave Shai-Hulud campaign in the JavaScript ecosystem.
- •npm will expand OIDC-based trusted publishing with bulk onboarding and broader support beyond GitHub Actions and GitLab.
- •Classic tokens were disabled (early November) and revoked (December 9), replaced by short-lived session tokens and granular access tokens.
- •CLI support for granular tokens and default 2FA enforcement for new packages shipped with the revocation, but maintainers reported scaling challenges.