Nicholas Zakas
๐ค SpeakerAppearances Over Time
Podcast Appearances
You have to go in individually to each package and go through multiple two-factor authentication approvals as well just to do it for one package.
And I've been told that there's going to be a batching tool coming out.
I'm still not there yet.
But in the meantime, they still rolled out these changes fairly quickly to people to kind of force changing over to the granular tokens with shorter TTLs and the trusted publishing.
And so there were just a lot of maintainers that were like, you're just throwing a ton of work onto our plate and the tools to help us
do that work aren't even there yet.
Yeah, so it's trusted because it is known ahead of time that that is the one location
that you can publish from.
Like any other workflow that you add, you can ask to get the ID token and publish to NPM, but that workflow is untrusted.
So it can't actually use a token to publish to NPM.
So it ends up being just a form of validation between that workflow and NPM to validate that it is allowed to publish that package.
Yeah, which again, is actually a nice system.
If you're on GitHub or GitLab and you don't worry too much about needing two-factor authentication, it's a decent system, but...
To me, and it's still GitHub and NPM saying, like, okay, maintainers, you need to do more to protect everybody from you being a victim of...
your credentials being stolen, which is why in my post, I use the analogy of credit cards where like there's a lot of fraud using credit cards.
And that's why credit card companies keep introducing new ways of validating that you are the authorized user of the card that you're using, whether that be the CVC number on the back or the chip that is in the card or
or in Europe needing to add a pin in addition to your chip.
They do all of that stuff to hopefully prevent people from using your credit card number without your permission.
which is great.
We should do that.