[Feature Request]: Trusted publishing for npm packages

[btea]

What should be improved?

https://docs.npmjs.com/trusted-publishers

Describe the solution you would like

e18e/ecosystem-issues#201

Possible alternatives

No response

Additional context

Recently, npm dependency packages have been frequently attacked. To reduce the risk of token leakage., it is recommended to remove the npm token and use OIDC for publishing.

Are you willing to work on this?

• Yes, I would like to help

[ludofischer]

Thank you for opening this issue. Have you got experience implementing this yourself. I was just reading about it since the high-profile hacks in the last days, but I did not exactly understand how it is more secure than a token. I guess with OIDC, the attacker would need to be able to commit code to this repository, which is harder than just stealing the token. We should just follow the documentation and we're good, right? Are there any trade-offs? @alexander-akait what do you think of using trusted publishing?

[btea]

It seems that my previous description was wrong. In fact, the purpose is not to use tokens and reduce the risk of token leakage. https://docs.npmjs.com/trusted-publishers#prefer-trusted-publishing-over-tokens

[ludofischer]

If there are no objections I will move ahead and configure trusted publishing on NPM

[alexander-akait]

@ludofischer sounds good for me