Securely Publishing our Packages to npm
As we harden our release practices in the wake of numerous recent vulnerabilities in npm packages amongst high profile authors, it seems worthwhile to celebrate a major milestone for 11ty core and our official suite of plugins: we are now npm Access Token-free!
The @11ty/* ecosystem on npm is now fully migrated to Trusted Publishers.
If you’re interested in taking steps to improve your own security footprint, you can read more about the steps we took at No more tokens! Locking down npm Publish Workflows
Dependency Watch
In this same vein, as a project Eleventy has continuously and relentlessly focused on reducing our dependency footprint. You may remember the latest Dependency Watch on our v3.1.0 core release notes:
| Version | Production Dep Count | Production Size |
|---|---|---|
| v3.1.0 | ×142 | 21.4 MB |
| v3.0.0 | ×187 | 27.4 MB |
| v2.0.1 | ×215 | 36.4 MB |
| v1.0.2 | ×356 | 73.3 MB |
Very astute observers may also be eyeing the upcoming 4.0 canaries which include even more improvements to these numbers! v4.0.0-alpha.4 is 16.6 MB with ×131 deps (with more improvements on the way)!
Read more blog posts:
- Previous: The Eleventy Community Survey (2025)