npm
Version:
a package manager for JavaScript
508 lines (478 loc) • 19 kB
HTML
<html><head>
<meta charset="utf-8">
<title>npm-trust</title>
<style>
body {
background-color: #ffffff;
color: #24292e;
margin: 0;
line-height: 1.5;
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji";
}
#rainbar {
height: 10px;
background-image: linear-gradient(139deg, #fb8817, #ff4b01, #c12127, #e02aff);
}
a {
text-decoration: none;
color: #0366d6;
}
a:hover {
text-decoration: underline;
}
pre {
margin: 1em 0px;
padding: 1em;
border: solid 1px #e1e4e8;
border-radius: 6px;
display: block;
overflow: auto;
white-space: pre;
background-color: #f6f8fa;
color: #393a34;
}
code {
font-family: SFMono-Regular, Consolas, "Liberation Mono", Menlo, Courier, monospace;
font-size: 85%;
padding: 0.2em 0.4em;
background-color: #f6f8fa;
color: #393a34;
}
pre > code {
padding: 0;
background-color: inherit;
color: inherit;
}
h1, h2, h3 {
font-weight: 600;
}
#logobar {
background-color: #333333;
margin: 0 auto;
padding: 1em 4em;
}
#logobar .logo {
float: left;
}
#logobar .title {
font-weight: 600;
color: #dddddd;
float: left;
margin: 5px 0 0 1em;
}
#logobar:after {
content: "";
display: block;
clear: both;
}
#content {
margin: 0 auto;
padding: 0 4em;
}
#table_of_contents > h2 {
font-size: 1.17em;
}
#table_of_contents ul:first-child {
border: solid 1px #e1e4e8;
border-radius: 6px;
padding: 1em;
background-color: #f6f8fa;
color: #393a34;
}
#table_of_contents ul {
list-style-type: none;
padding-left: 1.5em;
}
#table_of_contents li {
font-size: 0.9em;
}
#table_of_contents li a {
color: #000000;
}
header.title {
border-bottom: solid 1px #e1e4e8;
}
header.title > h1 {
margin-bottom: 0.25em;
}
header.title > .description {
display: block;
margin-bottom: 0.5em;
line-height: 1;
}
header.title .version {
font-size: 0.8em;
color: #666666;
}
footer#edit {
border-top: solid 1px #e1e4e8;
margin: 3em 0 4em 0;
padding-top: 2em;
}
table {
width: 100%;
margin: 1em 0;
border-radius: 6px;
border: 1px solid #e1e4e8;
overflow: hidden;
border-collapse: separate;
border-spacing: 0;
}
table thead {
background-color: #f6f8fa;
}
table tbody {
background-color: #ffffff;
}
table th,
table td {
padding: 0.75em;
text-align: left;
border-right: 1px solid #e1e4e8;
border-bottom: 1px solid #e1e4e8;
}
table th:last-child,
table td:last-child {
border-right: none;
}
table tbody tr:last-child td {
border-bottom: none;
}
table th {
font-weight: 600;
background-color: #f6f8fa;
}
table code {
white-space: nowrap;
}
</style>
</head>
<body>
<div id="banner">
<div id="rainbar"></div>
<div id="logobar">
<svg class="logo" role="img" height="32" width="32" viewBox="0 0 700 700">
<polygon fill="#cb0000" points="0,700 700,700 700,0 0,0"></polygon>
<polygon fill="#ffffff" points="150,550 350,550 350,250 450,250 450,550 550,550 550,150 150,150"></polygon>
</svg>
<div class="title">
npm command-line interface
</div>
</div>
</div>
<section id="content">
<header class="title">
<h1 id="----npm-trust----11121">
<span>npm-trust</span>
<span class="version">@11.12.1</span>
</h1>
<span class="description">Manage trusted publishing relationships between packages and CI/CD providers</span>
</header>
<section id="table_of_contents">
<h2 id="table-of-contents">Table of contents</h2>
<div id="_table_of_contents"><ul><li><a href="#synopsis">Synopsis</a></li><li><a href="#prerequisites">Prerequisites</a></li><li><a href="#description">Description</a></li><li><a href="#bulk-usage">Bulk Usage</a></li><li><a href="#configuration">Configuration</a></li><li><a href="#npm-trust-github"><code>npm trust github</code></a></li><ul><li><a href="#synopsis2">Synopsis</a></li><li><a href="#flags">Flags</a></li></ul><li><a href="#npm-trust-gitlab"><code>npm trust gitlab</code></a></li><ul><li><a href="#synopsis3">Synopsis</a></li><li><a href="#flags2">Flags</a></li></ul><li><a href="#npm-trust-circleci"><code>npm trust circleci</code></a></li><ul><li><a href="#synopsis4">Synopsis</a></li><li><a href="#flags3">Flags</a></li></ul><li><a href="#npm-trust-list"><code>npm trust list</code></a></li><ul><li><a href="#synopsis5">Synopsis</a></li><li><a href="#flags4">Flags</a></li></ul><li><a href="#npm-trust-revoke"><code>npm trust revoke</code></a></li><ul><li><a href="#synopsis6">Synopsis</a></li><li><a href="#flags5">Flags</a></li></ul><li><a href="#see-also">See Also</a></li></ul></div>
</section>
<div id="_content"><h3 id="synopsis">Synopsis</h3>
<p>Note: This command is unaware of workspaces.</p>
<h3 id="prerequisites">Prerequisites</h3>
<p>Before using npm trust commands, ensure the following requirements are met:</p>
<ul>
<li><strong>npm version</strong>: <code>npm@11.10.0</code> or above is required. Use <code>npm install -g npm@^11.10.0</code> to update if needed.</li>
<li><strong>Write permissions on the package</strong>: You must have write access to the package you're configuring.</li>
<li><strong>2FA enabled on account</strong>: Two-factor authentication must be enabled at the account level. Even if it's not currently enabled, you must enable it to use trust commands.</li>
<li><strong>Supported authentication methods</strong>: Granular Access Tokens (GAT) with the bypass 2FA option are not supported. Legacy basic auth (username and password) credentials will not work for trust commands or endpoints.</li>
<li><strong>Package must exist</strong>: The package you're configuring must already exist on the npm registry.</li>
</ul>
<h3 id="description">Description</h3>
<p>Configure trust relationships between npm packages and CI/CD providers using OpenID Connect (OIDC). This is the command-line equivalent of managing trusted publisher configurations on the npm website.</p>
<p>For a comprehensive overview of trusted publishing, see the <a href="https://docs.npmjs.com/trusted-publishers">npm trusted publishers documentation</a>.</p>
<p>The <code>[package]</code> argument specifies the package name. If omitted, npm will use the name from the <code>package.json</code> in the current directory.</p>
<p>Each trust relationship has its own set of configuration options and flags based on the OIDC claims provided by that provider. OIDC claims come from the CI/CD provider and include information such as repository name, workflow file, or environment. Since each provider's claims differ, the available flags and configuration keys are not universal—npm matches the claims supported by each provider's OIDC configuration. For specific details on which claims and flags are supported for a given provider, use <code>npm trust <provider> --help</code>.</p>
<p>The required options depend on the CI/CD provider you're configuring. Detailed information about each option is available in the <a href="https://docs.npmjs.com/trusted-publishers#managing-trusted-publisher-configurations">managing trusted publisher configurations</a> section of the npm documentation. If a provider is repository-based and the option is not provided, npm will use the <code>repository.url</code> field from your <code>package.json</code>, if available.</p>
<p>Currently, the registry only supports one configuration per package. If you attempt to create a new trust relationship when one already exists, it will result in an error. To replace an existing configuration:</p>
<ol>
<li>Use <code>npm trust list [package]</code> to view the ID of the existing trusted publisher</li>
<li>Use <code>npm trust revoke --id <id> [package]</code> to remove the existing configuration</li>
<li>Then create your new trust relationship</li>
</ol>
<h3 id="bulk-usage">Bulk Usage</h3>
<p>For maintainers managing a large number of packages, you can configure trusted publishing in bulk using bash scripting. Create a loop that iterates through package names and their corresponding configuration details, executing the <code>npm trust <provider></code> command with the <code>--yes</code> flag for each package.</p>
<p>The first request will require two-factor authentication. During two-factor authentication, you'll see an option on the npm website to skip two-factor authentication for the next 5 minutes. Enabling this option will allow subsequent <code>npm trust <provider></code> commands to proceed without two-factor authentication, streamlining the bulk configuration process.</p>
<p>We recommend adding a 2-second sleep between each call to avoid rate limiting. With this approach, you can configure approximately 80 packages within the 5-minute two-factor authentication skip window.</p>
<h3 id="configuration">Configuration</h3>
<h3 id="npm-trust-github"><code>npm trust github</code></h3>
<p>Create a trusted relationship between a package and GitHub Actions</p>
<h4 id="synopsis2">Synopsis</h4>
<pre><code class="language-bash">npm trust github [package] --file [--repo|--repository] [--env|--environment] [-y|--yes]
</code></pre>
<h4 id="flags">Flags</h4>
<table>
<thead>
<tr>
<th>Flag</th>
<th>Default</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--file</code></td>
<td>null</td>
<td>String (required)</td>
<td>Name of workflow file within a repositories .GitHub folder (must end in yaml, yml)</td>
</tr>
<tr>
<td><code>--repository</code>, <code>--repo</code></td>
<td>null</td>
<td>String</td>
<td>Name of the repository in the format owner/repo</td>
</tr>
<tr>
<td><code>--environment</code>, <code>--env</code></td>
<td>null</td>
<td>String</td>
<td>CI environment name</td>
</tr>
<tr>
<td><code>--dry-run</code></td>
<td>false</td>
<td>Boolean</td>
<td>Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, <code>install</code>, <code>update</code>, <code>dedupe</code>, <code>uninstall</code>, as well as <code>pack</code> and <code>publish</code>. Note: This is NOT honored by other network related commands, eg <code>dist-tags</code>, <code>owner</code>, etc.</td>
</tr>
<tr>
<td><code>--json</code></td>
<td>false</td>
<td>Boolean</td>
<td>Whether or not to output JSON data, rather than the normal output. * In <code>npm pkg set</code> it enables parsing set values with JSON.parse() before saving them to your <code>package.json</code>. Not supported by all npm commands.</td>
</tr>
<tr>
<td><code>--registry</code></td>
<td>"<a href="https://registry.npmjs.org/">https://registry.npmjs.org/</a>"</td>
<td>URL</td>
<td>The base URL of the npm registry.</td>
</tr>
<tr>
<td><code>--yes</code>, <code>-y</code></td>
<td>null</td>
<td>null or Boolean</td>
<td>Automatically answer "yes" to any prompts that npm might print on the command line.</td>
</tr>
</tbody>
</table>
<h3 id="npm-trust-gitlab"><code>npm trust gitlab</code></h3>
<p>Create a trusted relationship between a package and GitLab CI/CD</p>
<h4 id="synopsis3">Synopsis</h4>
<pre><code class="language-bash">npm trust gitlab [package] --file [--project|--repo|--repository] [--env|--environment] [-y|--yes]
</code></pre>
<h4 id="flags2">Flags</h4>
<table>
<thead>
<tr>
<th>Flag</th>
<th>Default</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--file</code></td>
<td>null</td>
<td>String (required)</td>
<td>Name of pipeline file (e.g., .gitlab-ci.yml)</td>
</tr>
<tr>
<td><code>--project</code></td>
<td>null</td>
<td>String</td>
<td>Name of the project in the format group/project or group/subgroup/project</td>
</tr>
<tr>
<td><code>--environment</code>, <code>--env</code></td>
<td>null</td>
<td>String</td>
<td>CI environment name</td>
</tr>
<tr>
<td><code>--dry-run</code></td>
<td>false</td>
<td>Boolean</td>
<td>Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, <code>install</code>, <code>update</code>, <code>dedupe</code>, <code>uninstall</code>, as well as <code>pack</code> and <code>publish</code>. Note: This is NOT honored by other network related commands, eg <code>dist-tags</code>, <code>owner</code>, etc.</td>
</tr>
<tr>
<td><code>--json</code></td>
<td>false</td>
<td>Boolean</td>
<td>Whether or not to output JSON data, rather than the normal output. * In <code>npm pkg set</code> it enables parsing set values with JSON.parse() before saving them to your <code>package.json</code>. Not supported by all npm commands.</td>
</tr>
<tr>
<td><code>--registry</code></td>
<td>"<a href="https://registry.npmjs.org/">https://registry.npmjs.org/</a>"</td>
<td>URL</td>
<td>The base URL of the npm registry.</td>
</tr>
<tr>
<td><code>--yes</code>, <code>-y</code></td>
<td>null</td>
<td>null or Boolean</td>
<td>Automatically answer "yes" to any prompts that npm might print on the command line.</td>
</tr>
</tbody>
</table>
<h3 id="npm-trust-circleci"><code>npm trust circleci</code></h3>
<p>Create a trusted relationship between a package and CircleCI</p>
<h4 id="synopsis4">Synopsis</h4>
<pre><code class="language-bash">npm trust circleci [package] --org-id <uuid> --project-id <uuid> --pipeline-definition-id <uuid> --vcs-origin <origin> [--context-id <uuid>...] [-y|--yes]
</code></pre>
<h4 id="flags3">Flags</h4>
<table>
<thead>
<tr>
<th>Flag</th>
<th>Default</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--org-id</code></td>
<td>null</td>
<td>String (required)</td>
<td>CircleCI organization UUID</td>
</tr>
<tr>
<td><code>--project-id</code></td>
<td>null</td>
<td>String (required)</td>
<td>CircleCI project UUID</td>
</tr>
<tr>
<td><code>--pipeline-definition-id</code></td>
<td>null</td>
<td>String (required)</td>
<td>CircleCI pipeline definition UUID</td>
</tr>
<tr>
<td><code>--vcs-origin</code></td>
<td>null</td>
<td>String (required)</td>
<td>CircleCI repository origin in format 'provider/owner/repo'</td>
</tr>
<tr>
<td><code>--context-id</code></td>
<td>null</td>
<td>null or String (can be set multiple times)</td>
<td>CircleCI context UUID to match</td>
</tr>
<tr>
<td><code>--dry-run</code></td>
<td>false</td>
<td>Boolean</td>
<td>Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, <code>install</code>, <code>update</code>, <code>dedupe</code>, <code>uninstall</code>, as well as <code>pack</code> and <code>publish</code>. Note: This is NOT honored by other network related commands, eg <code>dist-tags</code>, <code>owner</code>, etc.</td>
</tr>
<tr>
<td><code>--json</code></td>
<td>false</td>
<td>Boolean</td>
<td>Whether or not to output JSON data, rather than the normal output. * In <code>npm pkg set</code> it enables parsing set values with JSON.parse() before saving them to your <code>package.json</code>. Not supported by all npm commands.</td>
</tr>
<tr>
<td><code>--registry</code></td>
<td>"<a href="https://registry.npmjs.org/">https://registry.npmjs.org/</a>"</td>
<td>URL</td>
<td>The base URL of the npm registry.</td>
</tr>
<tr>
<td><code>--yes</code>, <code>-y</code></td>
<td>null</td>
<td>null or Boolean</td>
<td>Automatically answer "yes" to any prompts that npm might print on the command line.</td>
</tr>
</tbody>
</table>
<h3 id="npm-trust-list"><code>npm trust list</code></h3>
<p>List trusted relationships for a package</p>
<h4 id="synopsis5">Synopsis</h4>
<pre><code class="language-bash">npm trust list [package]
</code></pre>
<h4 id="flags4">Flags</h4>
<table>
<thead>
<tr>
<th>Flag</th>
<th>Default</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--json</code></td>
<td>false</td>
<td>Boolean</td>
<td>Whether or not to output JSON data, rather than the normal output. * In <code>npm pkg set</code> it enables parsing set values with JSON.parse() before saving them to your <code>package.json</code>. Not supported by all npm commands.</td>
</tr>
<tr>
<td><code>--registry</code></td>
<td>"<a href="https://registry.npmjs.org/">https://registry.npmjs.org/</a>"</td>
<td>URL</td>
<td>The base URL of the npm registry.</td>
</tr>
</tbody>
</table>
<h3 id="npm-trust-revoke"><code>npm trust revoke</code></h3>
<p>Revoke a trusted relationship for a package</p>
<h4 id="synopsis6">Synopsis</h4>
<pre><code class="language-bash">npm trust revoke [package] --id=<trust-id>
</code></pre>
<h4 id="flags5">Flags</h4>
<table>
<thead>
<tr>
<th>Flag</th>
<th>Default</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--id</code></td>
<td>null</td>
<td>String (required)</td>
<td>ID of the trusted relationship to revoke</td>
</tr>
<tr>
<td><code>--dry-run</code></td>
<td>false</td>
<td>Boolean</td>
<td>Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, <code>install</code>, <code>update</code>, <code>dedupe</code>, <code>uninstall</code>, as well as <code>pack</code> and <code>publish</code>. Note: This is NOT honored by other network related commands, eg <code>dist-tags</code>, <code>owner</code>, etc.</td>
</tr>
<tr>
<td><code>--registry</code></td>
<td>"<a href="https://registry.npmjs.org/">https://registry.npmjs.org/</a>"</td>
<td>URL</td>
<td>The base URL of the npm registry.</td>
</tr>
</tbody>
</table>
<h3 id="see-also">See Also</h3>
<ul>
<li><a href="../commands/npm-publish.html">npm publish</a></li>
<li><a href="../commands/npm-token.html">npm token</a></li>
<li><a href="../commands/npm-access.html">npm access</a></li>
<li><a href="../commands/npm-config.html">npm config</a></li>
<li><a href="../using-npm/registry.html">npm registry</a></li>
</ul></div>
<footer id="edit">
<a href="https://github.com/npm/cli/edit/latest/docs/lib/content/commands/npm-trust.md">
<svg role="img" viewBox="0 0 16 16" width="16" height="16" fill="currentcolor" style="vertical-align: text-bottom; margin-right: 0.3em;">
<path fill-rule="evenodd" d="M11.013 1.427a1.75 1.75 0 012.474 0l1.086 1.086a1.75 1.75 0 010 2.474l-8.61 8.61c-.21.21-.47.364-.756.445l-3.251.93a.75.75 0 01-.927-.928l.929-3.25a1.75 1.75 0 01.445-.758l8.61-8.61zm1.414 1.06a.25.25 0 00-.354 0L10.811 3.75l1.439 1.44 1.263-1.263a.25.25 0 000-.354l-1.086-1.086zM11.189 6.25L9.75 4.81l-6.286 6.287a.25.25 0 00-.064.108l-.558 1.953 1.953-.558a.249.249 0 00.108-.064l6.286-6.286z"></path>
</svg>
Edit this page on GitHub
</a>
</footer>
</section>
</body></html>