17 comments

[ 1.8 ms ] story [ 217 ms ] thread
*npm package maintainers

Is high impact a defined term here?

> A package is marked as a high impact package when they have more than 1 million weekly downloads or have more than 500 dependents.
For such a short blog that I actually clicked on, this is embarrassing.

Not reading the article is probably on par with not getting past the 2nd sentence.

Am intrigued why this is npm only when they already seem to have some of the strictest publishing requirements around, 2fa or one time passwords are mandatory now I thought?

No, this is the post that 2FA is becoming mandatory on (github-owned) npm for a larger group of packages (previous waves in February and May covered the top-100 and top-500 respectively).

It's not a policy for github accounts, but I can understand the confusion given it is posted on the github blog - the npm blog has been merged into it.

That's also why the policy is npm only, github don't own other registries to set policy (though I'll note pypi at least is setting a similar policy)

Is this for Go modules and python and PHP and C libraries?
It feels odd that Github is deciding this policy.

A high-impact package on another forge wouldn't be subject to the same constraint.

GitHub owns and operates npm, so they certainly have the authority and ability to enforce it. I doubt requiring the same of packages hosted elsewhere is feasible.
Dependabot and GitHub already scan Ruby Gemfiles and lock files and .NET's NuGet package references, among others. They already have the raw data to do it for a number of package ecosystems (and you can see that on repo pages if you go look for it). Starting with npm is clearly obvious because they also own npm, but I wouldn't be surprised if they set similar bars for other package ecosystems that they are aware that they host critical supply chains for.
(comment deleted)
Github allowed node-ipc maintainer to stay after he intentionally distributed malware. This move is just security theater in that light. What will 2FA do? Let you be really really sure it was the maintainer who did it? Realistically, github wants your phone number for reasons.
This is not a security measure against real maintainer going mental and breaking everything. I am sure you can understand that different problems need different measures.
I'm pretty sure GH wouldn't use SMS for this since it's provably not a very good way to handle MFA. Banks seem to have not caught on to this, unfortuntely
pypi.org (the Python Package Index) did the same thing in July, with some amount of criticism from the community: https://news.ycombinator.com/item?id=32037562

At least they gave away security keys to try and spin it in a positive light: https://pypi.org/security-key-giveaway/ (well sort of, if you already have 2FA on, no key for you valued maintainer)

Honestly that wasn't so bad, I got two Google security keys sent to me at no charge and now I keep one in my pocket and one safely at home.

I get the general "You not trusting your dependencies is your problem", but at the same time it's really only a minor annoyance.