The Changelog: Software Development, Open Source Securing npm is table stakes (Interview)
34 snips
Jan 29, 2026 Nicholas C. Zakas, seasoned JavaScript engineer and creator/maintainer of ESLint, critiques npm security and shares hard-earned tooling perspective. He discusses mass compromise patterns, maintainer risks, GitHub’s response and trusted publishing limits. He also explores anomaly detection, registry alternatives like JSR and Volt, and funding or stewardship paths forward.
AI Snips
Chapters
Transcript
Episode notes
ESLint's Publish Compromise And Response
- ESLint experienced suspicious pull requests and once had a compromised publish via reused credentials.
- That incident led Nicholas to remove individual publish rights and tighten ESLint's publishing process.
Rotate Tokens Or Use Just-in-Time Credentials
- Use fine-grained, short-lived tokens or trusted publishing to avoid long-lived credentials.
- Prefer on-demand OpenID Connect tokens in CI to eliminate stored publish credentials where practical.
Trusted Publishing Has Trade-Offs
- Trusted publishing reduces token exposure but creates platform lock-in and lacks two-factor protections.
- OpenJS Foundation recommended critical packages avoid trusted publishing until 2FA and extra safeguards exist.