Npm plans to implement staged publishing in response to a series of supply chain attacks in 2025, notably the Shai-Hulud campaign. This new release model aims to add a review step before packages go live, requiring multi-factor authentication (MFA) from package owners. The goal is to create a buffer period where maintainers can catch any unintended or malicious changes before they are publicly available, addressing the growing operational risk posed by automated compromises. The backdrop for this change is the recent revocation of classic tokens, which had long been a security vulnerability due to their longevity and reuse. In November 2025, npm disabled the creation of these tokens and revoked existing ones by December 9, replacing them with short-lived session tokens and granular access tokens. This transition, however, proved challenging for many maintainers, especially those managing multiple packages. Issues included the need for manual configuration and limitations in automation support, which complicated the publication process. User frustrations amplified due to unclear documentation and rapid policy changes. Some maintainers faced frequent authentication failures and had to re-authenticate every two hours, prompting npm to extend session token lifetimes from two hours to twelve. The article highlights the broader implications of these changes, with calls for improved anomaly detection mechanisms. Critics argue that simply tightening credential policies won't sufficiently enhance the overall security of npm's publishing workflows.