Staged Publishing for NPM Packages
docs.npmjs.comI am so incredibly stoked to see this! It is the piece which can FINALLY make it so Trusted Publishing can be safely used.
This releases a lot of pressure on maintainers, who until now needed to be experts in securing CI infrastructure in order to reduce the risks inherent in TP being a step backwards compared to local publishing with a second factor.
Will it be perfect? No, Im inclined to think nothing is perfectly secure. But I believe this will go a long way towards improving our ecosystem’s posture against at least the attack vectors we are seeing today.