The amount of extra work this all entails for developers will depend on the number of packages involved and the size of their organization. For larger organizations, assuming they haven’t already done the prep work, this could mean checking hundreds of packages from multiple teams. Classic tokens in these packs will need to be retired and a process will need to be set up to rotate granular tokens.
However, not everyone is convinced that the reform goes far enough. Last month, the OpenJS Foundation criticized the maturity of the tokenless OIDC security model that GitHub wants developers to move to in the long term. Given that attackers often compromise packages after breaking into developer accounts, more emphasis should be placed on multi-factor authentication (MFA) security for those accounts, according to the OpenJS Foundation.
Currently, npm does not require MFA for smaller developer accounts, and OIDC itself does not impose an additional MFA phase when publishing packages. In the case of automated workflows, there is essentially no way to add MFA to the process. And then there’s the problem that some forms of MFA are prone to man-in-the-middle attacks. This means that any authentication method used must be able to withstand such techniques.
#npm #pipeline #broken #today #Check #classic #tokens