Blog | Phil Nash

Things you need to do for npm trusted publishing to work

Published by Phil Nash on Jan 31, 2026

After the recent supply chain attacks on the npm ecosystem, notaby the Shai-Hulud 2.0 worm, GitHub took a number of actions to shore up the security of publishing packages to hopefully avoid further attacks. One of the outcomes was that long-lived npm tokens were revoked in favour of short-lived tokens or using trusted publishing.

A terminal window shows a JavaScript REPL. The code creates a date on the 1st January, 2024, then adds a month to the date. The result is 4th March, 2023.

How wrong can a JavaScript Date calculation go?

Published by Phil Nash on Jan 11, 2026, updated on Jan 14, 2026

The Date object in JavaScript is frequently one that causes trouble. So much so, it is set to be replaced by Temporal soon. This is the story of an issue that I faced that will be much easier to handle once Temporal is more widespread.