The article discusses a method for securely managing package releases using a "valet key" approach. It outlines how to grant limited access to release tokens while ensuring a clear approval process and full audit trails, ultimately reducing the risk of supply-chain attacks.

This article outlines how to manage the recent change in NPM's token policy, which limits token validity to 90 days. It introduces a tool called github-update-secret that automates the process of updating access tokens across multiple GitHub repositories. While the long-term solution is to adopt OIDC, this tool provides a temporary fix.

Pastoralist is a command-line tool designed to automate the tracking and management of security dependency issues in npm projects, including overrides and resolutions. It helps developers manage dependency versions, detect security vulnerabilities, and clean up unneeded overrides, ultimately simplifying package management in both monorepo and single-package scenarios. The tool provides various commands for scanning, fixing vulnerabilities, and maintaining an organized appendix of dependency information.