Revoke some release permissions in case npm supports package based publish permission token now #71
Comments
|
I looked through https://github.com/unifiedjs/collective/blob/main/data/teams.yml, it seems you would be affected mostly, if you still want to maintain all packages under the orgs, feel free to keep the config as-is. |
|
Or, is that possible to change some releasers' permission on specific packages? For example, I may want only https://github.com/mdx-js/eslint-mdx 's publish permission. cc @wooorm |
Why is that a security issue? Releasers teams should not be too small. Because of the bus factor: https://en.wikipedia.org/wiki/Bus_factor.
We have 500+ repos. What improves if we remove releasers? What does tokens solve?
And that is why I specifically set up a token for you. Because you specifically wanted to set up automation for that repo. |
|
I also thought about the bus factor, but TIL it has a name. Also next time there's another wave of major releases, I intend to help to speed things up. |
That's great if you want to maintain the whole org packages, then there's nothing left to be done here. 🍻 |
Initial checklist
Problem
The current release permission is org based, which could be a security issue, the releasers team should be as small as possible.
Solution
Idea from mdx-js/eslint-mdx#492 (comment)
Alternatives
N/A
The text was updated successfully, but these errors were encountered: