Skip to content

feat: npm trust command #8899

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
reggi wants to merge 14 commits into
base: latest
Choose a base branch
from
Open

feat: npm trust command #8899

reggi wants to merge 14 commits into from
+7,326 −328

Conversation

@reggi
Copy link
Contributor

@reggi reggi commented Jan 12, 2026
edited
Loading

Introducing npm trust 🎉

A new command / set of registry api endpoints that allows a user to add, remove and check the Trusted configurations between npm's registry and Trusted Publishers.

This command will allow maintainers to have a mechanism for managing their configurations outside of the npm website.

A lot of maintainers have mentioned how they'd like to be able to set Trusted Publishing "in bulk" and this solution allows maintainers to setup a simple bash script to loop over and set these configurations for many packages / repositories quickly.

These commands will require two-factor auth, it's not based on package access settings, or your account having 2fa enabled. The two-factor confirmation page will have the 2fa "cooldown" checkbox like npm publish which will allow you to not have to re-enter the 2fa for this endpoint for a set amount of time for a given IP address.

$ npm trust --help
Create a trusted relationship between a package and a OIDC provider

Usage:
npm trust

Subcommands:
  github
    Create a trusted relationship between a package and GitHub Actions

  gitlab
    Create a trusted relationship between a package and GitLab CI/CD

  list
    List trusted relationships for a package

  revoke
    Revoke a trusted relationship for a package

Run "npm trust <subcommand> --help" for more info on a subcommand.

Run "npm help trust" for more info
Screenshot 2026-01-12 at 4 30 53 PM Screenshot 2026-01-12 at 4 31 24 PM Screenshot 2026-01-12 at 4 31 34 PM Screenshot 2026-01-12 at 4 31 53 PM

@reggi reggi requested a review from a team as a code owner January 12, 2026 17:34
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 12, 2026
View reviewed changes
wraithgar
wraithgar reviewed Jan 12, 2026
View reviewed changes
wraithgar
wraithgar reviewed Jan 12, 2026
View reviewed changes
owlstronaut
owlstronaut approved these changes Jan 22, 2026
View reviewed changes
Copy link
Contributor

@owlstronaut owlstronaut left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy with this. Just a couple of nits, but I think this will be a great architecture to build from.

I skipped over reviewing the tests as I only have so much time on this beautiful planet

lib/base-cmd.js
static positionals = null

// this is a static so that we can read from it without instantiating a command
// this is a static so that we can read =rom it without instantiating a command
Copy link
Contributor

@owlstronaut owlstronaut Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// this is a static so that we can read =rom it without instantiating a command
// this is a static so that we can read from it without instantiating a command

Mistype?

lib/npm.js
Comment on lines +40 to +41
#argv = undefined
#excludeNpmCwd = undefined
Copy link
Contributor

@owlstronaut owlstronaut Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are these used?

lib/base-cmd.js
// Throw error if unknown flags were found
if (unknownFlags.length > 0) {
const flagList = unknownFlags.map(f => `--${f}`).join(', ')
throw new Error(`Unknown flag${unknownFlags.length > 1 ? 's' : ''}: ${flagList}`)
Copy link
Contributor

@owlstronaut owlstronaut Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would a usageError be nice here?

lib/trust-cmd.js
await this.confirmOperation(yes)
const trustConfig = this.constructor.optionsToBody(options.values)
const response = await this.createConfig(options.values.package, [trustConfig])
const body = await response.json(yes)
Copy link
Contributor

@owlstronaut owlstronaut Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const body = await response.json(yes)
const body = await response.json()

I think you only wanted this for the this.confirmationOperation above

dhei
dhei reviewed Jan 23, 2026
View reviewed changes
lib/trust-cmd.js
}
await this.confirmOperation(yes)
const trustConfig = this.constructor.optionsToBody(options.values)
const response = await this.createConfig(options.values.package, [trustConfig])
Copy link
Member

@dhei dhei Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the request body be an object trustConfig or an array of single object [trustConfig]?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wraithgar wraithgar wraithgar left review comments

@dhei dhei dhei left review comments

@owlstronaut owlstronaut owlstronaut approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@reggi @wraithgar @owlstronaut @dhei