Github/npm has announced security changes that take effect on December 9, 2025. These changes include the deprecation of classic tokens and a 90-day maximum lifetime for granular access write tokens used in publishing workflows. Note, read-only tokens do not have a 90-day maximum.
What’s Changing
GitHub/npm is transitioning to a more secure publishing model with three primary options:
- Local publishing with required 2FA
- Granular write tokens (90-day maximum lifetime, requiring regular rotation)
- Trusted publishing via OIDC (currently supporting only GitHub Actions and GitLab CI/CD)
CircleCI’s Status and Readiness
CircleCI has been actively working with GitHub/npm to become an approved trusted publisher. We have updated our OIDC implementation to have parity with what’s needed based on current trusted publishers. We are ready to integrate when approval is granted. Based on GitHub/npm’s projections, this may occur in Q1, 2026.
What This Means for You
If you publish npm packages using CircleCI, you’ll need to use granular access tokens with write permissions that must be rotated every 90 days until trusted publishing support is available.
How to set up granular tokens:
- Visit npmjs.com/settings/~/tokens
- Click “Generate New Token” → “Granular Access Token”
- Configure appropriate permissions for your packages
- Store the token in CircleCI as an environment variable
- Set a reminder to rotate the token before it expires (90 days)
If you need to only read private packages, you can set a custom expiry date far in the future when generating a read only token.
The security of the npm ecosystem is critical, and we support GitHub’s goals. We also believe that the stewardship of open-source infrastructure like npm should include equitable access for all CI/CD providers. We will continue advocating for CircleCI’s inclusion as a trusted publisher while ensuring you have the tools and support needed to publish securely.
We’ll update this post as we receive more information from GitHub/npm.