Questions before you paste.

Library maintainers and DevOps engineers preparing their first npm publish under OIDC trusted publishing — or migrating from a long-lived NPM_TOKEN in GitHub Actions to OIDC.

Yes. The 14-row check runs entirely in your browser using the JSON parser and regex over what you paste. Nothing leaves the page.

It replaces the ad-hoc "skim three GitHub Issues and hope I caught it" flow before a v1.0.0 release. It does not replace the actual npm trusted-publisher setup, which still requires a manual click on npmjs.com.

The hosted audit (paste a repo URL, get a guided report and a fix PR) is in build. The preflight checklist on the landing page is the standalone artifact you can use today.

The checklist on this site is free and stays free. Paid options will be for teams that want a CI-integrated audit and a SLSA-Level-3 evidence ledger.

No. There is no backend on the checklist page. Open DevTools, check the Network tab, paste your files, and run the check — there are no outbound requests for the artifact.

The checklist flags pnpm publish as OK and yarn classic publish as a fail (yarn classic does not speak OIDC). Bun publish landed in mid-2026 and is not yet wired to npm trusted publishing.

npm docs (docs.npmjs.com/trusted-publishers), GitHub Actions OIDC docs, npm CLI release notes, Sigstore documentation, and real failure threads from npm/cli and r/javascript. Every blog post lists the exact source IDs.