Update: Classic token removal moves to December 9, bundled with new CLI improvements

[leobalter]

Hi everyone,

Quick update on our npm security timeline: We're moving the classic token removal from November 19 to December 9, 2025.

Why the change? We're bundling this breaking change with a highly-requested feature that will make the transition smoother. On December 9, we're shipping CLI support for managing granular access tokens directly from your terminal, in addition to classic token removal.

What's coming December 9

Classic tokens will be permanently revoked, with all remaining npm classic tokens stopping work. Going forward, login sessions will use 2-hour tokens requiring periodic re-authentication. Learn more about the token changes in our security strengthening post.

CLI token management for granular tokens is finally arriving. You'll be able to create, list, and revoke granular access tokens from your terminal with a similar experience to the classic npm token command, adapted for granular tokens now with enforced 2fa. No more web-only token management! Check out the documentation on granular access tokens to prepare.

We're also making packages secure-by-default, with 2FA enforcement becoming the default option for all new packages. This means better security out of the box without manual configuration. Learn about 2FA for publishing on npm if you haven't set it up yet.

Good news for Yarn users: The /user/org.couchdb.user:username API endpoint has been restored, so Yarn v1 and v2 authentication workflows will continue working. This fix is already live.

What this means for you

By delivering these features together, you'll have the tools you need right when you need them. Instead of losing classic tokens and having to navigate the website for replacements, you can manage granular tokens directly from your familiar CLI workflow.

No action needed until December 9. Your existing classic tokens continue working until then.

Stay informed

Review our previous update about classic token creation being disabled (Nov 5) and the original security roadmap announcement. You can start creating granular access tokens now if you want to get ahead of the change.

We'll share more details as we approach December 9. Thank you for your patience as we strengthen npm's security foundation while keeping your experience as smooth as possible.

Questions or concerns? Let us know below.

[ckohen]

Are the "established trust" changes going to land before this change? This is great for those using other ci providers, but it will still almost certainly result in storing the actual login credentials in secrets unless we can completely eliminate the need for a token

[leobalter]

They won't. We are actively working on enabling an expanded established trust experience but these will take a bit more time and I expect them for the next couple months.

[m-amin-b]

Thanks for the great question — totally get the concern about "established trust" landing in time. For anyone using non-GitHub/GitLab CI providers, this change still means falling back to storing some kind of secret unless we can fully eliminate tokens.
Quick update based on the latest from npm (as of Nov 13, 2025):

Token removal is now back to Nov 19 (not Dec 9 as earlier planned). CLI support for granular tokens will land at the same time, along with 2FA-by-default for new packages. Yarn v1/v2 auth is safe — the CouchDB endpoint is restored and live.
Established Trust / Trusted Publishing: No, the broader rollout won���t make it before Nov 19. The team is actively working on expanding support (self-hosted runners, more CI platforms, etc.), but it’s expected in the next couple of months — likely early 2026.

What you can do right now to avoid storing long-term credentials:

If you're on GitHub Actions or GitLab CI → switch to Trusted Publishing (OIDC). No token needed at all.
→ Docs: https://docs.npmjs.com/trusted-publishing
→ GitHub example: https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/
For other CI systems → use short-lived granular tokens (7-day default, max 90 days) with Bypass 2FA enabled for automation.
→ The new CLI (npm token create --help) will let you generate/rotate them easily.
→ Pro tip: script token rotation in your CI (e.g., generate on startup, store in memory or encrypted env).
Feedback matters — npm is listening. Share your CI provider and pain points in the main discussion:
→ https://github.com/orgs/community/discussions/176828

If you drop your CI setup (Jenkins? CircleCI? Azure?), I can help draft a migration script or workflow.
Let’s make the ecosystem safer — together! 🙌

[tmccombs]

For other CI systems → use short-lived granular tokens (7-day default, max 90 days) with Bypass 2FA enabled for automation.

Pro tip: script token rotation in your CI (e.g., generate on startup, store in memory or encrypted env).

But what credentials would the CI use to generate this token?

[mary-ext]

no answers on how said token should be regenerated?

[jferg-workwave]

Token removal is now back to Nov 19 (not Dec 9 as earlier planned). CLI support for granular tokens will land at the same time, along with 2FA-by-default for new packages. Yarn v1/v2 auth is safe — the CouchDB endpoint is restored and live. Established Trust / Trusted Publishing: No, the broader rollout won’t make it before Nov 19. The team is actively working on expanding support (self-hosted runners, more CI platforms, etc.), but it’s expected in the next couple of months — likely early 2026.

Argh - why does the website still say Dec 9?! I have users complaining their tokens were disabled yesterday.

[jsumners-nr]

It is not an enjoyable experience having to subscribe to new threads in order stay apprised of the state of things since the previous threads keep getting marked as resolved.

[leobalter]

it's unfortunate I can't find a better way to prioritize the most recent announcements within the same thread. I don't expect to have a long series of threads anymore. Our releases continue but now in a slightly more spaced cadence.

[istian-chris]

login sessions will use 2-hour token will this be around when these security changes are complete?

[leobalter]

yes, and it's open for further improvements if needed.

[jferg-workwave]

If the date was moved to 2025-12-09, why do I have users complaining that their tokens were disabled yesterday?!

[leobalter]

We've had no changes applied this week. They might wanna reach out to support.

[jferg-workwave]

That's really strange, I have 4 different users who opened internal tickets yesterday because their classic tokens stopped working (but plenty who didn't complain either), but looking today, I can see that their tokens still exist in the admin side and appear to be active. I've issued new granular tokens for them to use at this time, so it's a non-issue at this time, and I'm working on moving us to CodeArtifact internally anyway, so shouldn't be an issue, but really seems like a strange coincidence that all these users had issues yesterday/this morning.

[istian-chris]

Hi, is mandatory 2FA for local publishing still apart of the plan? I see we've enabled 2fa bypass on the Granular tokens, but is that a permanent policy or just a way to buffer the transition to Trusted Publishing?
Can we expect mandatory 2FA for local publishing in 2026?