Revised npm Security Timeline Based on Your Feedback · community · Discussion #178140 (original) (raw)

Hello @leobalter I don't think you have thought this through. Please try to go through the proposed workflow. Your security/CI engineers should propose a decent solution to help users manage this changes in a responsible way

Your press release on github blog says we can use npm create token to create a token. Ok let's try.

npm token create

npm password: 
npm notice Security Notice: Classic tokens have been revoked. Granular tokens are now limited to 90 days and require 2FA by default. Update your CI/CD workflows to avoid disruption. Learn more https://gh.io/all-npm-classic-tokens-revoked
npm error code E401
npm error Unable to authenticate, your authentication token seems to be invalid.
npm error To correct this please try logging in again with:
npm error   npm login

Ok so let's run npm login

Getting 2FA > We are now logged in

Let's run npm token create

Getting asked my npm password + 2FA again

• Why do you even need my password now? When I do npm publish for other projects I am not getting my password asked, just 2FA (which I am fine with, I understand the implications of supply chain attack)
• Why do you need again 2FA twice?

Anyway, getting error npm error 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/tokens - Token name is required

So now going through the documentation of npm help create, and figuring out that is how I can generate this for my package:

npm token create --name publishci --expires 90 --packages @my/package --password $MYPASSWORDINCLEAR

Notice how you are pushing us to add our npm password in clear in our environment to avoid having to memorize and type it everytime (because anyway we'll go through 2FA, and we have already ran npm login so this password ask is really not necessary)

What you should have done is proposed a simple npm create token + gh secret set pipe 🤯 or just integrate this in the gh CLI directly

Unfortunately if I try to pipe the npm command or put it inside a script that breaks the 2FA call (which is weird because I don't have this behavior with the 2FA call from npm publish... But at this point I am not really surprised).

So the only option now is moving the npm publish step out of CI and in local environment, which is a pain for a build that targets multiple architectures, which is often done in CI.

We can start feeling the impact of microsoft being now owner of github and npm...

Please try yourself setting up publishing workflows through this madness, and share with us the best practices.