Require or at least broadcast package 2FA


(Benjamin Cooper) #1

Today’s eslint fiasco shows that 2FA can be a powerful tool for stopping unauthorized package publishes. When a package author choose to not use 2FA and gets compromised as a result, the impact don’t just affect the author, it impacts everyone depending on that package. Thus, would it be possible to do either of the following steps?

  1. Include prominently on the npm website whether a package is published by an author using 2FA and create a repo badge to advertise this.
  2. Require packages with enough downloads (I’m not familiar enough with the ecosystem to say what an appropriate amount would be) to use 2FA to further publish packages.

These are both pretty heavy handed - particularly the latter - but I think that’s appropriate when an individual’s poor security choices can harm so many developers and their users.

(Kat Marchán) #2

There will likely be some changes related to auth and 2FA coming soon, but stand by for more news on it. Things are still wrapping up. :slight_smile:

(Michael Graf) #3

+1 Feature Request: Allow me to specify “Only trust 2FA enabled packages” within my package.json . If a non-2FA dependency is encountered barf loudly so I can hound them and/or remove the dependency.

(NJ) #4

Registered just to chime in on this, it’s a shame that this wasn’t implemented:

That said, if the account is compromised and a new public key added (as the publishing token was, according to the post-mortem) then a self-trusted public key wouldn’t help on it’s own.
Ideally, having public keys that are signed by at least 2 other package maintainers where possible would eliminate this.

(In short, publishing requiring a signature linked to a public key that has been signed by at least 1 (ideally 2 or more if available) of the other devs to be accepted, simple but effective)

Admittedly, this wouldn’t help solo devs much, their packages would still be at risk of being signed with freshly created keys, but the chained propagation that this was designed to achieve would have been impossible.

Edit: Digging through the messages, it would appear that yesterday’s exact scenario was pretty much predicted in an issue from 2015:

(Espen Hovlandsdal) #5

I’d like to flag all my packages as requiring 2FA in order to publish them. Basically, don’t make it a user setting but rather a package setting. If a person with publish rights to the package does not have 2FA set up and tries to publish; disallow the publish. Would that be possible?

(Alexander Kachkaev) #6

I guess requiring 2FA for a package will be possible with npm access 2fa-required <package>.
Current use in canary: npx npmc access 2fa-required <package>.

Blog post: