The npm ecosystem has seen increased attacks recently, highlighted by the Shai-Hulud incident. In response, GitHub proposed a roadmap for securing npm's package publishing infrastructure. The article outlines three key recommendations for npm maintainers: switch to npm Trusted Publishing instead of using long-lived tokens, enforce two-factor authentication (2FA) for publishing actions, and prefer WebAuthn for 2FA over traditional Time-based One-Time Passwords (TOTP). These steps aim to improve security for CI/CD pipelines, account management, and authentication processes. Using Trusted Publishing addresses the vulnerabilities of long-lived tokens, which can be easily compromised. Traditionally, developers create these tokens to allow automated systems to act on their behalf. However, if a token is leaked, it can lead to significant security breaches, as seen in the Shai-Hulud case. Trusted Publishing uses OpenID Connect (OIDC) to issue short-lived tokens that verify identity at the moment of use, rather than relying on static secrets. This setup requires a trust relationship between npm and the CI/CD provider, allowing for secure publishing without the risks associated with long-lived tokens. The implementation of Trusted Publishing has certain limitations. Currently, it only supports GitHub Actions and GitLab CI/CD Pipelines, leaving users of other platforms without options. Additionally, each npm package can have only one trusted publisher configured, which can complicate workflows that involve multiple repositories or sources. While Trusted Publishing enhances security for the publishing process, projects with private dependencies or non-public upstream providers may still rely on traditional tokens, leaving potential gaps in their security posture.