nodejs
Enforcing npm publishing access on nodejs packages
With granular tokens and OIDC migration in https://github.com/nodejs/admin/issues/998, we could now consider enforcing the rule to require 2fa on publishing, and even disallow tokens (including granular tokens and classic tokens) on packages hosted on https://www.npmjs.com/~nodejs-foundation.
The current available options are (this is a per-package setting):
Trusted Publishing currently has a number of security issues in its implementation, but once those are resolved, as long as all packages using it are also using Environments with 2+ required reviewers, then this is a great change to make.
This setting is not necessarily associated with OIDC based publishing. This is an enforcement on requiring 2fa when publishing with either classic or granular tokens. This should be a security gain on the current setup.
Right - but I'm saying that migrating from tokens to OIDC should not be an option at the moment, so we can't yet disallow 1FA tokens.
In today TSC meeting we proposed to require publish with 2Fa for all publishing. We didn't have quorum, so, we'd live this open for another week.
@legendecas would post an issue in the packages to notify them of the change.
Packages may be impacted by the change:
(these packages were published in the past year and were published by an individual account or token)
- https://github.com/nodejs/changelog-maker / https://www.npmjs.com/package/changelog-maker
- https://github.com/nodejs/citgm / https://www.npmjs.com/package/citgm
- https://github.com/nodejs/branch-diff / https://www.npmjs.com/package/branch-diff
- https://github.com/nodejs/core-validate-commit / https://www.npmjs.com/package/core-validate-commit
- https://github.com/nodejs/lts-schedule / https://www.npmjs.com/package/lts
- https://github.com/nodejs/cjs-module-lexer / https://www.npmjs.com/package/cjs-module-lexer