"The amount of extra work all this creates for developers will depend on how many packages are involved and their organization's size. For larger organizations, assuming they haven't already done the legwork, this could involve auditing hundreds of packages across multiple teams. Classic tokens in these packages will have to be revoked, and a process will have to be put in place to rotate granular tokens."
"Last month, the OpenJS Foundation criticized the maturity of the tokenless OIDC security model that GitHub wants developers to move towards in the long term. Given that attackers often compromise packages after breaking into developer accounts, more emphasis should be put on multi-factor authentication (MFA) security for those accounts, the OpenJS Foundation said. Currently, npm doesn't mandate MFA on smaller developer accounts, and OIDC itself imposes no additional MFA stage when publishing packages."
The amount of extra work for developers depends on how many packages are involved and on organization size. Larger organizations may need to audit hundreds of packages across multiple teams, revoke classic tokens, and implement token rotation processes for granular tokens. The OpenJS Foundation criticized the maturity of the tokenless OIDC security model and urged stronger MFA protections because attackers often compromise packages after breaching developer accounts. npm does not mandate MFA for smaller developer accounts, OIDC adds no MFA stage for publishing, automated workflows cannot incorporate MFA, and some MFA methods remain vulnerable to man-in-the-middle attacks, so authentication must resist such techniques.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]