codesandbox-client icon indicating copy to clipboard operation
codesandbox-client copied to clipboard

Published 20 hours ago verified publisher icon codesandbox

SEC-520: npm registry token exposure

Open Shasheen8 opened this issue 2 months ago • 1 comments

Security Fix: NPM Registry Token Exposure

Issue: NPM registry authentication tokens were exposed in the DOM on the Custom NPM Registry settings page, accessible to all workspace members including read-only users (SEC-520).

Changes:

  • Modified NpmRegistry type
  • Updated compile.ts to handle the boolean flag instead of the actual token
  • Removed client-side token handling from NPM registry fetcher

Impact:

  • Auth tokens are no longer sent to the client
  • Client only receives a boolean indicating if a token is configured
  • Tokens cannot be extracted from DOM, network requests, or browser storage
  • NPM package fetching continues to work as authentication is handled server-side

This fix will ensures sensitive NPM registry credentials remain server-side only, preventing unauthorized access by workspace members with limited permissions.

Associated tickets:

  1. SEC-520
  2. ENG-39975

Shasheen8 avatar Sep 23 '25 01:09 Shasheen8