[TSC] choose a npm publication method for the future

[UlisesGascon]

We started a discussion around the idea of using Trusted Publishing (ref), this issue is a more formal continuation of my comment:

Regarding trusted Publishing we did a great research and concluded that:

We believe Trusted Publishing represents the future, but it’s not yet ready for adoption in critical projects, as in its current state it wouldn’t prevent attacks such as Shai-Hulud and other recent ones.
https://openjsf.org/blog/publishing-securely-on-npm

Mostly due the missing step for 2FA confirming the publication. This will be fixed by npm once staged publishing is deployed (no ETA yet): https://github.blog/security/supply-chain-security/strengthening-supply-chain-security-preparing-for-the-next-malware-campaign/

In Express we are trying to do a CI version with 2FA (under discussion: expressjs/discussions#443), so we can probably adopt it if we want to avoid local publication due bus factor

cc: @webpack/security-wg

Next steps

• Include TSC Meeting agenda label

Context

• Related to [TSC]: create an npm organization #86