From fear to pain: NPM trusted publishing and oidc

2025 was the year when we saw extreme impact of supply chain attack. npm did something last month to counter this by retiring old auth tokens in favor of a new authentication method they call trusted publishing, it uses OIDC to authenticate automated publishing via CI. but it seems like a rushed decision. poor coordination and incomplete docs. result: many package publishers are stuck and not able to release the updates to their package. It's not been two weeks and we already see almost 2k issues on github, the number will rise exponentially.

* Search results on github : https://github.com/search?q=npm+trusted+publishing&type=issu...

* the case in point: https://github.com/gitcommitshow/resilient-llm/issues/39

* Docs issue : https://github.com/npm/cli/issues/8884

* The bug : https://github.com/npm/cli/issues/8730