If you utilize npm to publish or install packages, here's a significant change you should be aware of - GitHub now requires 2FA (two-factor authentication) and the use of stronger access tokens. It may feel like a hindrance but it's solely to reduce hacker participation - GitHub certainly does not want their boxes involved with hacks.
• Two-factor authentication is required: You will not be able to publish without it.
• Tokens expiration is shortened: Tokens to publish now expire in 7 days.
• Trusted publishing: CI/CD pipelines can publish without tokens as trusted publisher.
• Deprecated old tokens: Classic tokens as well as the former TOTP 2FA are now in a timed transition to FIDO/WebAuthn.
• Safer default settings: New tokens will not let you publish unless you say so.
These changes make it significantly harder for a hacker to compromise your account.
For example, I lost a whole weekend cleanup after a project because of a *javascript* package that was problematic (came from an *npm* package). In the event that 2FA prevented that from happening again, I will utilize it as long as it does not slow me down or complicate my work too much.
GitHub is also hoping developer will adopt this on the premise it will be safer and easier in the future.
Reasons for GitHub
Recently, npm has been subject to several attacks. Hackers have manipulated schemes such as s1ngularity, GhostAction, and Shai-Hulud to steal accounts and then deploy bad code, and GitHub concluded it was not betemi to fix things AFTER patches and hacks occurred, and now will proceed with higher authentication guidelines prior to packaging.What are the updates?
Here are some highlights of the changes:• Two-factor authentication is required: You will not be able to publish without it.
• Tokens expiration is shortened: Tokens to publish now expire in 7 days.
• Trusted publishing: CI/CD pipelines can publish without tokens as trusted publisher.
• Deprecated old tokens: Classic tokens as well as the former TOTP 2FA are now in a timed transition to FIDO/WebAuthn.
• Safer default settings: New tokens will not let you publish unless you say so.
These changes make it significantly harder for a hacker to compromise your account.
What it means to developers
Yes, two-factor authentication can feel annoying if you need to publish quickly. But, consider this - would you prefer to type the code quickly or give up your control of your package?For example, I lost a whole weekend cleanup after a project because of a *javascript* package that was problematic (came from an *npm* package). In the event that 2FA prevented that from happening again, I will utilize it as long as it does not slow me down or complicate my work too much.
What is the benefit of trusted publishing?
Trusted publishing makes things easier; It allows your build systems to publish packages without a secret token to manage, and therefore less chance of making a mistake and less to worry about.GitHub is also hoping developer will adopt this on the premise it will be safer and easier in the future.