Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Requiring 2FA for npm publishes
See original GitHub issueIn light of recent events, I think we should start requiring 2FA in order to publish npm packages in the eslint npm organization. This would significantly reduce the risk of malicious publishes due to compromised accounts, like the one last week.
Since our publishes are performed by a bot account on a Jenkins server, the process of doing this will be nontrivial. I think the best way to do this would be for all the people authorized to start a release to scan the same TOTP private key to their phone. Then they would enter a TOTP code through the Jenkins interface while the release happens, and the Jenkins server would use it to complete the release.
This would prevent malicious publishes in the following attack scenarios:
- A TSC member’s GitHub account is compromised (without 2FA, this would allow an attacker to log into Jenkins and start a release).
- The Jenkins server itself is compromised (without 2FA, this would allow an attacker to steal an npm access token from the server and start a release).
Releases take several minutes, since the server runs all of the tests before publishing. As a result, entering a TOTP code at the start of the jenkins build won’t work, because the token will expire by the time the package needs to be published. We have a few options:
- We could use a pipeline input step to pause the build and have a TSC member enter a TOTP code in the middle. This would likely require some changes to
eslint-release. - We could wait for npm to ship time-limited tokens.
I would prefer the first option, since we don’t know when the second option will be available.
Issue Analytics
- State:
- Created 5 years ago
- Comments:11 (11 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
All of
eslint’s packages now require 2FA to publish, and the infrastructure for doing so on the build server has been set up (see here), so this issue is complete.TSC Summary: npm has an option to require a 2FA code to be entered when publishing any particular package. This would improve the security of our releases because it would prevent a malicious release in the event that (a) a TSC member’s GitHub or npm account is compromised, or (b) the Jenkins server is non-persistently compromised. If we enabled this, we would probably do releases by sharing the 2FA private key among the users who are allowed to do the release, and entering a TOTP code into jenkins during the release process.
TSC Question: Should we require 2FA for npm publishes?