Update: October 13 Security Changes Now Live

[leobalter]

Hello everyone,

As of today, October 13, 2025, the first set of npm security changes is now in effect following up on our September 29 changelog post and the ongoing community discussion.

Changes now active:

• Granular token limits: All newly created granular access tokens with write permissions now have a 7-day default expiration and 90-day maximum lifetime (previously 30-day default with no maximum)
• TOTP 2FA restrictions: New TOTP 2FA configurations are disabled - you cannot add new TOTP devices to your account. Existing TOTP setups continue to work and can be removed but not modified.

What hasn't changed yet:

• Your existing granular tokens continue working with their current expiration dates
• Classic tokens remain functional (revocation coming in early November)
• Existing TOTP 2FA configurations still work

Action needed:

• If you need to set up 2FA on a new account or device, use WebAuthn/passkeys instead of TOTP
• Review your automation workflows to accommodate the new 7-day default token expiration
• Begin migrating away from classic tokens before early November

Documentation has been updated at docs.npmjs.com to reflect these changes.

As a reminder, this is our first set of security improvements. Classic token revocation and additional changes will follow in November. We'll continue to communicate each phase in advance through this discussion thread and future changelog posts.

Thank you for your patience as we work together to strengthen npm's security. This discussion thread can still be used for general feedback, questions, or concerns about any of the npm security changes.

[RokeJulianLockhart]

New TOTP 2FA configurations are disabled - you cannot add new TOTP devices to your account.

@leobalter, how could that increase security...?

[RokeJulianLockhart]

TOTP is being replaced with FIDO2. ¹

Footnotes

1. github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/#totp-2fa-configuration-changes ↩

[3nprob]

Related discussion threads:

• https://github.com/orgs/community/discussions/174505
• https://github.com/orgs/community/discussions/178140

[DonovanDMC]

Being forced to have to randomly replace tokens in workflows I don't use that often isn't really cool