Why Use Trusted Publishing for PyPI?
Trusted publishing replaces long-lived PyPI API tokens with short-lived OIDC credentials, eliminating the most common way attackers gain unauthorized upload access to PyPI.
Introducing 'Trusted Publishers' - The Python Package Index Blog
blog.pypi.orgAnnouncing a new, more secure way to publish to PyPI
Join us in “Trailblazing Python Security” at PyCon US 2026
PyCon US 2026 is coming to Long Beach, California ! PyCon US is the premiere conference for the Python programming language in North Americ...
How to npm and avoid getting rekt
As a consequence of the Shai-Hulud worm that struck the NPM ecosystem, we were motivated to create this article, shedding some light on best practices.
Trusted publishing: a new benchmark for packaging security
Read the official announcement on the PyPI blog as well! For the past year, we’ve worked with the Python Package Index to add a new, more secure authentication method called “trusted publishing.” Trusted publishing eliminates the need for long-lived API tokens and passwords, reducing the risk of supply chain attacks and credential leaks while also […]
Our plan for a more secure npm supply chain
GitHub is strengthening npm's security with stricter authentication, granular tokens, and enhanced trusted publishing.
Introducing OSS Rebuild: Open Source, Rebuilt to Last
Today we're excited to announce OSS Rebuild, a new project to strengthen trust in open source package ecosystems by reproducing upstream artifacts. As supply chain attac…