NPM Token Revocation: Act Now For IoBroker Adapters!
Hey guys! Heads up, because some big changes are coming to how npm (Node Package Manager) handles security, and this will affect your ioBroker adapters. Let's break down what's happening and what you need to do to keep your stuff running smoothly.
What's the Deal? The Future of NPM
So, npm is beefing up its security measures. They've sent out emails letting everyone know about these changes, and here's the gist:
- Classic tokens are going away. Yep, the old-school tokens you might be using are getting the boot. This is happening in early November, so time is of the essence!
- Granular tokens are the new hotness. These tokens have a shorter lifespan (defaulting to 7 days, but up to 90) and are designed to be more secure.
Here's a snippet from the email they sent:
Dear iobroker-bot,
Important security changes are coming to npm that may affect your packages and workflows. This is the first phase of our comprehensive security improvements.
Phase 1 changes:
• October 13: New granular tokens limited to 90-day maximum lifetime (7-day default)
• October 13: New TOTP 2FA configurations disabled (existing TOTP still works)
• Early November: All classic tokens will be permanently revoked
Action required: If you use classic tokens in any automation, CI/CD pipelines, or local development, you must migrate to granular access tokens before early November to avoid publishing disruptions.
More changes ahead: This is the first of several security updates. Additional phases will follow in the coming months, including further 2FA improvements and expanded trusted publisher support. We'll communicate each phase in advance.
Why we're making these changes: Recent supply chain attacks have shown that compromised long-lived tokens are a critical vulnerability. These phased changes are essential to protect the npm ecosystem and your packages from malicious actors.
Get full details and migration guidance: https://gh.io/npm-token-changes
Need help?
• Join the discussion: https://github.com/orgs/community/discussions/174507
• Contact support: https://www.npmjs.com/support
We understand these changes require effort from you. Thank you for your partnership in making npm more secure for millions of developers worldwide.
Basically, they're tightening things up to protect the npm ecosystem from any sneaky attacks. The main takeaway is this: You need to take action if you use classic tokens.
The Deadline: Early November 2025
The big red flag in all this is that all classic tokens will be permanently revoked in early November. If you're using these tokens for things like automated deployments, your workflows will break. No bueno!
The Solution: Migrate to Trusted Publishing
The good news is that the solution, Trusted Publishing, is already supported by ioBroker tools. This is the recommended path forward, and it's what you need to do to keep your adapter updates rolling out automatically.
How to Migrate: Step-by-Step Guide
Alright, let's get you set up with Trusted Publishing. Here’s what you gotta do:
1. Set Up the NPM Trust Relationship
First, you need to tell npm that you trust your GitHub repository to publish updates. Here's how:
-
Log in to npmjs.com using your account that has permission to publish your package.
-
Go to your package page. For example, if your adapter is called
ioBroker.your-adapter, go to https://www.npmjs.com/package/YOUR-PACKAGE-NAME. -
Click the "Settings" tab.
-
Find the "Publishing access" section and scroll down a bit.
-
Click "Automate publishing with GitHub Actions" or "Add trusted publisher." This is where the magic happens!
-
Fill in the details:
- Repository owner: Your GitHub username or organization (e.g.,
ioBroker). - Repository name: The name of your adapter repository (e.g.,
ioBroker.your-adapter). - Workflow name:
test-and-release.yml(This is the standard name of your release workflow). - Environment: Leave this blank.
IMPORTANT: Make sure all these details are entered exactly as they appear. Case matters!
- Repository owner: Your GitHub username or organization (e.g.,
-
Save your configuration.
For more detailed info, check out:
2. Update Your test-and-release.yml Workflow (If Using Standard Workflow)
If you're using the standard test-and-release.yml workflow (which is the recommended setup), you'll need to tweak your file. Here's how to do it:
-
Open
test-and-release.yml. You can edit this directly on GitHub or in your local development environment. -
Remove the
npm-tokenline. Find the 'deploy' job section, it should look something like this:# Deploys the final package to NPM deploy: needs: [check-and-lint, adapter-tests] # Trigger this step only when a commit on any branch is tagged with a version number if: | contains(github.event.head_commit.message, '[skip ci]') == false && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') runs-on: ubuntu-latest # Write permissions are required to create Github releases permissions: contents: write steps: - uses: ioBroker/testing-action-deploy@v1 with: node-version: '20.x' # Uncomment the following line if your adapter cannot be installed using 'npm ci' # install-command: 'npm install' build: true npm-token: ${{ secrets.NPM_TOKEN }} github-token: ${{ secrets.GITHUB_TOKEN }}Locate the line starting with
npm-token: ${{ secrets.NPM_TOKEN }}and either remove it or comment it out by adding a#at the beginning of the line. -
Add
id-token: writeto thepermissionssection. Find thepermissions:block. Add the lineid-token: writeto the block. Make sure the indentation is correct to avoid YAML errors. If thepermissions:block is missing, add it, including thecontents: writeline. The updated block should look like this:permissions: contents: write id-token: write -
Test your release and deploy workflow. Create a test release to make sure everything's working as expected. This is super important to verify everything is working.
-
(Optional) Remove the
NPM_TOKENsecret from your GitHub repository settings after you've confirmed that the workflow works with Trusted Publishing.
3. If You're Using a Custom Workflow
If you're not using the standard test-and-release.yml workflow, here's what you should consider:
- Try to switch to the standard workflow. It'll make your life easier in the long run!
- If you must keep your custom workflow, at least use the
ioBroker/testing-action-deploy@v1action. This will help with the migration. - If you're really locked into a custom deploy mechanism, follow the instructions in the NPM Trusted Publishing documentation. Key points:
- Make sure you entered the correct workflow name when setting up Trusted Publishing.
- Ensure you use the newest npm release in your workflow (e.g.,
npm install -g npm@latest). The npm version included with your Node.js release might be outdated. - Add the
npm install -g npm@latestcommand near the deploy command. Don't update npm globally for the entire workflow, as this could cause issues. - Do NOT use a token or try to log in to npm in your workflow. Use
npm publishwithout any specific authorization.
The Coming PR (For Standard Workflows)
Good news! A tool is in the works that will automatically generate a pull request (PR) with the necessary changes for the standard test-and-release.yml workflow. So, if you're using that workflow, you might see a PR pop up soon, making the migration even easier. Just be aware that you won't get a PR if you're not using the default workflow. The PR is expected within the next week. This will automate the process for those using the standard workflow.
Need Help? Let's Connect!
If you have any questions or run into any snags, don't hesitate to reach out! The best places to connect are the development channels on Telegram and GitHub (invites are available at https://www.iobroker.dev). You can also leave a comment and mention me (@mcm1957).
Thanks a ton for all your hard work in maintaining your adapters. You guys rock! Let's all work together to keep the ioBroker community awesome!
Best, ioBroker Check and Service Bot