npm classic tokens are over: IR guidance for revocations, 2FA, and short‑lived credentials
On November 5, 2025, GitHub disabled creation of classic npm tokens and tightened controls on granular tokens; write-capable granular tokens now enforce 2FA by default and are limited to a maximum 90-day lifetime, with a seven-day default for new write tokens. GitHub also indicated that local publishing sessions would shift to two-hour tokens, and initially targeted November 19 for revoking all remaining classic tokens. Validate the current cutoff in your environment-GitHub’s community channel noted a possible shift to December 9 to coincide with CLI improvements-then proceed as if long-lived classic credentials are dead and rotation is mandatory. (GitHub Changelog, Nov 5, GitHub Changelog, Sep 29, GitHub Community discussion, Nov 13). (github.blog)