NPM Token Revocation: Migrate To Trusted Publishing Now!

by Dimemap Team 57 views

Hey guys! NPM is making some big security changes that could impact your ioBroker projects. If you're using classic tokens for automation, CI/CD pipelines, or even local development, you need to switch to granular access tokens ASAP. The deadline is early November 2025, so let's dive into what's happening and how to prepare!

What's Happening with NPM Tokens?

So, NPM is revoking classic tokens due to security concerns. You might have received an email like this:

Dear iobroker-bot,

Important security changes are coming to npm that may affect your packages and workflows. This is the first phase of our comprehensive security improvements.

Phase 1 changes:

  • October 13: New granular tokens limited to 90-day maximum lifetime (7-day default)
  • October 13: New TOTP 2FA configurations disabled (existing TOTP still works)
  • Early November: All classic tokens will be permanently revoked

Action required: If you use classic tokens in any automation, CI/CD pipelines, or local development, you must migrate to granular access tokens before early November to avoid publishing disruptions.

More changes ahead: This is the first of several security updates. Additional phases will follow in the coming months, including further 2FA improvements and expanded trusted publisher support. We'll communicate each phase in advance.

Why we're making these changes: Recent supply chain attacks have shown that compromised long-lived tokens are a critical vulnerability. These phased changes are essential to protect the npm ecosystem and your packages from malicious actors.

Get full details and migration guidance: https://gh.io/npm-token-changes

Need help?

We understand these changes require effort from you. Thank you for your partnership in making npm more secure for millions of developers worldwide.

The key takeaway here is: Early November: All classic tokens will be permanently revoked. This means your automatic deployments using the standard test-and-release.yml workflow will break unless you migrate to Trusted Publishing.

Why Migrate to Trusted Publishing?

Without those classic, forever-valid tokens, your automated deployment setup just won't work anymore. Migration to Trusted Publishing is the recommended solution, and the great news is that ioBroker tools already support it! Think of Trusted Publishing as a more secure and reliable way to handle your deployments, ensuring only authorized workflows can publish packages.

Benefits of Trusted Publishing

  • Enhanced Security: Reduces the risk of compromised tokens and supply chain attacks. By linking publishing rights directly to your GitHub repository and workflow, you eliminate the need for long-lived, easily stolen tokens.
  • Automated Workflow: Seamlessly integrates with your existing CI/CD pipelines, particularly the test-and-release.yml workflow, making the transition smooth and straightforward.
  • Improved Trust: Builds confidence in your packages by verifying that they are published from a trusted source.
  • Future-Proofing: Aligns with NPM's evolving security standards, ensuring your projects remain compliant and secure in the long run. NPM is committed to enhancing the security of the ecosystem, and Trusted Publishing is a key part of that vision.
  • Granular Control: Trusted Publishing provides more granular control over who can publish your packages. This is especially useful for organizations with multiple developers working on the same project.

How to Migrate to Trusted Publishing: A Step-by-Step Guide

OK, let's get down to business. Here's what you need to do to migrate to Trusted Publishing and keep your ioBroker deployments running smoothly.

1. Set Up the NPM Trust Relationship

This part is the same regardless of which test-and-release workflow you're using.

  1. Log in to npmjs.com: Make sure you're using an account that has publishing rights for your package.
  2. Go to your package page: Navigate to https://www.npmjs.com/package/YOUR-PACKAGE-NAME. Replace YOUR-PACKAGE-NAME with the actual name of your ioBroker adapter package.
  3. Configure Trusted Publishing:
    • Click on the "Settings" tab.
    • Scroll down to the "Publishing access" section.
    • Click on "Automate publishing with GitHub Actions" or "Add trusted publisher."
    • Fill in the info:
      • Repository owner: Your GitHub username or organization (e.g., ioBroker).
      • Repository name: Your adapter's repository name (e.g., ioBroker.your-adapter).
      • Workflow name: test-and-release.yml (or whatever you named your release workflow).
      • Environment: Leave this blank.
  4. Save it!

For more detailed information, check out:

2. Actions for Repositories Using the Up-to-Date test-and-release Workflow

If you're already using the iobroker/action-testing-deploy action, here's what to tweak in your test-and-release.yml file.

  1. Edit test-and-release.yml: You can do this directly on GitHub or in your local development environment.
  2. Remove the npm-token from the deploy section:

    • Find the deploy job. It should look something like this:

      # Deploys the final package to NPM
deploy:
  needs: [check-and-lint, adapter-tests]

  # Trigger this step only when a commit on any branch is tagged with a version number
  if: |
    contains(github.event.head_commit.message, '[skip ci]') == false &&
    github.event_name == 'push' &&
    startsWith(github.ref, 'refs/tags/v')

  runs-on: ubuntu-latest

  # Write permissions are required to create Github releases
  permissions:
    contents: write

  steps:
    - uses: ioBroker/testing-action-deploy@v1
      with:
        node-version: '20.x'
        # Uncomment the following line if your adapter cannot be installed using 'npm ci'
        # install-command: 'npm install'
        build: true
        npm-token: ${{ secrets.NPM_TOKEN }}
        github-token: ${{ secrets.GITHUB_TOKEN }}

    • Remove (or comment out with a #) the line that starts with npm-token:.

    • In the permissions: block, add a line id-token: write. Make sure the indentation is correct! If the permissions: block is missing, add it, including the contents: write line as shown above.

  3. Test Your Workflow: Create a test release to make sure everything's working as expected.
  4. (Optional) Remove the NPM_TOKEN Secret: After confirming everything is working correctly, you can remove the NPM_TOKEN secret from your GitHub repository settings. This is an extra security step.

3. Actions for Repositories with Modified or Outdated Workflows

If you're not using the standard test-and-release workflow, you have a few options:

  • Switch to the Standard Workflow: This is generally the easiest and most recommended approach. Follow the steps in the previous section.
  • Use ioBroker/testing-action-deploy@v1 in Your Custom Workflow: If you need to keep your custom workflow, try to incorporate the ioBroker/testing-action-deploy@v1 action. Then, follow the migration guide above.
  • Follow NPM's Trusted Publishing Documentation: If you absolutely must use a private deploy mechanism, follow the steps in the NPM Trusted Publishing documentation. Pay close attention to these points:
    • Make sure you enter the correct workflow name when setting up Trusted Publishing.
    • Use the latest version of npm for deployment. Add npm install -g npm@latest to your workflow before the deploy command. Don't update npm for the entire workflow, as this could cause issues.
    • Do not use a token or try to log in to npm. Use npm publish without dedicated authorization.

Upcoming PR for Standard Workflows

The ioBroker team is working on a tool to automatically generate a pull request (PR) that adds the necessary changes to the standard test-and-release workflow. Keep an eye out for this PR in the next week or so. However, if you're not using the default workflow, you won't receive a PR.

Need Help?

If you have any questions, reach out to the ioBroker community on Telegram or GitHub (invites at https://www.iobroker.dev). You can also leave a comment below and mention @mcm1957.

A HUGE THANKS to everyone maintaining these adapters. Your work makes a huge difference to the ioBroker community.

Let's work together for the best user experience.

Your ioBroker Check and Service Bot

Deutsche Beschreibung

Was wird in naher Zukunft geschehen?

NPM ändert derzeit mehrere sicherheitsrelevante Parameter. Möglicherweise wurde bereits eine E-Mail von npm mit folgenden Informationen erhalten:

Dear iobroker-bot,

Important security changes are coming to npm that may affect your packages and workflows. This is the first phase of our comprehensive security improvements.

Phase 1 changes:

  • October 13: New granular tokens limited to 90-day maximum lifetime (7-day default)
  • October 13: New TOTP 2FA configurations disabled (existing TOTP still works)
  • Early November: All classic tokens will be permanently revoked

Action required: If you use classic tokens in any automation, CI/CD pipelines, or local development, you must migrate to granular access tokens before early November to avoid publishing disruptions.

More changes ahead: This is the first of several security updates. Additional phases will follow in the coming months, including further 2FA improvements and expanded trusted publisher support. We'll communicate each phase in advance.

Why we're making these changes: Recent supply chain attacks have shown that compromised long-lived tokens are a critical vulnerability. These phased changes are essential to protect the npm ecosystem and your packages from malicious actors.

Get full details and migration guidance: https://gh.io/npm-token-changes

Need help?

We understand these changes require effort from you. Thank you for your partnership in making npm more secure for millions of developers worldwide.

Migration zu Trusted Publishing bis Anfang November 2025 empfohlen

Der wichtigste Teil der E-Mail lautet: Anfang November: Alle klassischen Token werden dauerhaft widerrufen

Ohne klassische und dauerhaft gültige Token funktioniert die automatische Bereitstellung mit dem Standard-Workflow test-and-release.yml nicht mehr. Die Migration zu 'Trusted Publishing' wird daher empfohlen, und die gute Nachricht ist, dass dies bereits von ioBroker-Tools unterstützt wird.

Erforderliche Aktionen für die Migration zu "Trusted Publishing"

Einrichtung der npm-Vertrauensbeziehung (unabhängig von der test-and-release Workflow-Variante)

Um die Migration zu Trusted Publishing zu initiieren, muss dies im NPM-Konto konfiguriert werden. Folgende Schritte sind dazu erforderlich:

  1. Bei npmjs.com anmelden mit einem Konto, das Veröffentlichungsrechte für das Paket besitzt

  2. Zur Paketseite navigieren:

  3. Trusted Publishing konfigurieren:

    • Nach unten zum Abschnitt "Publishing access" scrollen
    • Auf "Automate publishing with GitHub Actions" oder "Add trusted publisher" klicken
    • Die erforderlichen Informationen ausfüllen:
      • Repository owner: GitHub-Benutzername oder Organisation (z.B. ioBroker)
      • Repository name: Name des Adapter-Repositories (z.B. ioBroker.your-adapter)
      • Workflow name: test-and-release.yml (oder der Name des Release-Workflows)
      • Environment: Leer lassen

  4. Konfiguration speichern

Weitere Informationen sind verfügbar unter:

Aktionen für Repositories mit aktuellem test-and-release Workflow unter Verwendung von iobroker/action-testing-deploy

Die Workflow-Datei test-and-release.yml muss angepasst werden.

  1. test-and-release.yml zur Bearbeitung öffnen, entweder direkt bei github.com oder in der lokalen Entwicklungsumgebung

  2. npm-token aus dem deploy-Abschnitt entfernen

    • Den Job namens 'deploy' suchen. Er sollte wie folgt aussehen:

      # Deploys the final package to NPM
deploy:
  needs: [check-and-lint, adapter-tests]

  # Trigger this step only when a commit on any branch is tagged with a version number
  if: |
    contains(github.event.head_commit.message, '[skip ci]') == false &&
    github.event_name == 'push' &&
    startsWith(github.ref, 'refs/tags/v')

  runs-on: ubuntu-latest

  # Write permissions are required to create Github releases
  permissions:
    contents: write

  steps:
    - uses: ioBroker/testing-action-deploy@v1
      with:
        node-version: '20.x'
        # Uncomment the following line if your adapter cannot be installed using 'npm ci'
        # install-command: 'npm install'
        build: true
        npm-token: ${{ secrets.NPM_TOKEN }}
        github-token: ${{ secrets.GITHUB_TOKEN }}

    • Die Zeile, die mit 'npm-token:' beginnt, suchen

    • Diese Zeile entfernen (oder auskommentieren, indem ein '#' als erstes Zeichen hinzugefügt wird)

    • Den Block, der mit 'permissions:' beginnt, suchen

    • Eine Zeile 'id-token: write' hinzufügen. Auf korrekte Einrückung achten, um eine ungültige YAML-Datei zu vermeiden. Falls der Block vollständig fehlt, diesen einschließlich der Zeile 'contents: write' wie im Beispiel gezeigt hinzufügen.

  3. Release- und Deploy-Workflow testen Die Funktionalität durch Erstellen eines Test-Releases testen.

  4. Das NPM_TOKEN Secret entfernen aus den GitHub-Repository-Einstellungen (optional, nachdem bestätigt wurde, dass alles funktioniert)

Aktionen für Repositories mit privaten, modifizierten oder veralteten test-and-release.yml Workflows

Falls das Repository noch nicht den Standard-test-and-release Workflow verwendet, werden folgende Schritte empfohlen:

  • Prüfen, ob der Standard-test-and-release Workflow und der zuvor beschriebene Prozess verwendet werden können.
  • Falls ein modifizierter / privater test-and-release Workflow beibehalten werden muss, zumindest die Verwendung der Action ioBroker/testing-action-deploy@v1 innerhalb des Workflows in Betracht ziehen. Dann kann dem zuvor beschriebenen Migrationsleitfaden gefolgt werden.
  • Falls wirklich ein privater Deploy-Mechanismus verwendet werden muss, den Schritten in der NPM Trusted Publishing documentation folgen. Folgende Punkte sind dabei wichtig:
    • Sicherstellen, dass der korrekte Workflow-Name beim Einrichten von 'Trusted Publishing' eingegeben wurde
    • Sicherstellen, dass wirklich die neueste npm-Version für den Deploy-Prozess verwendet wird. Einen dedizierten 'npm install -g npm@latest' Befehl für das Update innerhalb des Workflows verwenden. Die mit der Node-Version gepackte npm-Version könnte zu alt sein. Das npm-Upgrade in der Nähe des Deploy-Befehls hinzufügen - npm nicht für den gesamten Workflow aktualisieren, da dies negative Nebeneffekte verursachen könnte.
    • KEINEN Token verwenden und NICHT versuchen, sich bei npm anzumelden. 'npm publish' ohne dedizierte Autorisierung verwenden.

Anstehender PR für Repositories mit Standard-test-and-release.yml Workflow

Ein Tool zur Generierung eines PRs, das die erforderlichen Änderungen zum Standard-test-and-release Workflow hinzufügt, befindet sich in der Entwicklung. Es kann also noch einige Tage gewartet werden, um einen PR mit den erforderlichen Änderungen an test-and-release.yml zu erhalten. Zu beachten ist, dass kein PR empfangen wird, falls nicht der Standard-Workflow verwendet wird. Der PR wird innerhalb der nächsten Woche erwartet.

Bei Fragen bitte Kontakt aufnehmen - am besten über die Entwicklungskanäle bei Telegram / Github (Einladungen verfügbar unter https://www.iobroker.dev) oder durch Hinterlassen eines Kommentars und Erwähnen von @mcm1957.

VIELEN DANK für die Pflege dieses Adapters von mir und allen Benutzern. Gemeinsam für die beste Benutzererfahrung arbeiten.

Euer ioBroker Check and Service Bot