quarantine packages without 2fa until author confirms

security

(Alex Knol) #1

Feature: NPM could require package versions uploaded without 2FA to be confirmed by the package author.
Effectively packages would be quarantined after upload and a notification would go out to the author a new version was uploaded. When the auth confirms he wants to release, the package is aded to the public repository.

Additionally this opens up the opportunity to scan any newly uploaded (and quarantined) packages to be scanned for vulnerabilities before they are published.

Why: Enabling 2FA stands in the way of CI servers uploading package updates to npm.


(Zbyszek Tenerowicz) #2

This is a nice idea. Effectively using someone’s email as second factor.