Aria Stewart
Aria Stewart
Yeah, though that comes from the package, not the registry -- one of the uses of this change would be to identify things published to the wrong registry.
We had a package that should have been published to `registry.npmjs.com` get published to our internal registry by mistake (shadowing the real package) -- diagnosing this was a little bit...
Perhaps add `"kappaRegistryInfo": { "origin": "registryname" }` to the returned JSON?
(and no, it doesn't show with `--verbose` to npm)
That is indeed silly.
That sounds wonderful to me -- I don't think running as root is really what anyone wants to do. Bower already treats its specially, and I'm inclined to follow, even...
Did you send the token with your request?
That sounds a bit like you're trying to do more than mitigate a CSRF attack with it. What are you trying to do?
So why does this require invalidating the token, if both pages should use the same one?
Ah, okay. That makes more sense. It doesn't really answer _why_ though -- what are you trying to prevent? Sounds like more than CSRF attacks that you're trying to prevent.