Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Continuous enforcement of 2FA for publishing packages #11

Open
achrinza opened this issue Mar 13, 2022 · 0 comments
Open

Continuous enforcement of 2FA for publishing packages #11

achrinza opened this issue Mar 13, 2022 · 0 comments

Comments

@achrinza
Copy link
Member

achrinza commented Mar 13, 2022

All NPM packages under our purview were manually reviewed to ensure that 2FA was enforced for publishing these packages. Currently, this is being done manually by reviewing each package individually through npmjs.com.

There is currently no way to do an organisation-wide 2FA publishing enforcement nor a way to programmatically retrieve the current packages' 2FA publishing requirement, though there seems to be some future plans.

From https://github.blog/2021-12-07-enrolling-npm-publishers-enhanced-login-verification-two-factor-authentication-enforcement/:

We are currently working on a variety of enhancements to the registry to make 2FA adoption easier for developers, including:
...

  • Better tools for understanding 2FA adoption in npm orgs

However, we can still programmatically enable 2FA for package publishing using libnpmsaccess through a scheduled GitHub Action Workflow. While a "mitigative" solution, it reduces the attack window in case of an accidental disabling of this publishing requirement.

This proposed solution does not:

  • Prevent disabling of 2FA publishing requirement
  • Provide visibility when a 2FA publishing requirement is disabled
@achrinza achrinza changed the title Enforce 2FA for publishing packages Continuous eforcement of 2FA for publishing packages Mar 13, 2022
@achrinza achrinza changed the title Continuous eforcement of 2FA for publishing packages Continuous enforcement of 2FA for publishing packages Mar 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant