16 votes

npm package "eslint-scope" compromised, npm is invalidating all login tokens created before 2018-07-12 12:30 UTC

5 comments

  1. [4]
    Comment deleted by author
    Link
    1. [3]
      Neverland
      Link Parent
      The eslint-scope code that was built for this package was not from the repo. I am no expert on the matter, but wouldn’t it make sense if NPM owned the build process, and each package was locked to...

      The eslint-scope code that was built for this package was not from the repo.

      I am no expert on the matter, but wouldn’t it make sense if NPM owned the build process, and each package was locked to a specific code repo?

      2 votes
      1. [3]
        Comment deleted by author
        Link Parent
        1. [2]
          Neverland
          (edited )
          Link Parent
          Yeah, the more I think about it, the more pissed off I get about how NPM works. How is it Open Source if you cannot prove that the code that NPM distributes is the code that is in the repo? Am I...

          Yeah, the more I think about it, the more pissed off I get about how NPM works.

          How is it Open Source if you cannot prove that the code that NPM distributes is the code that is in the repo?

          Am I missing something here?

          edit: I do realize that NPM itself is closed source, for profit, VC backed, but I mean the packages it distributes.

          2 votes
          1. [2]
            Comment deleted by author
            Link Parent
            1. Neverland
              (edited )
              Link Parent
              Hmm, I think I just read that Yarn does not support NPM accounts with 2FA, which I believe would have also avoided the eslint-scope issue today. searching ... Yup, no 2FA support:...

              Hmm, I think I just read that Yarn does not support NPM accounts with 2FA, which I believe would have also avoided the eslint-scope issue today.

              searching ...

              Yup, no 2FA support: https://github.com/yarnpkg/yarn/issues/4904

              edit: clarity

              2 votes
  2. unknown user
    Link
    This is just going to keep happening until something changes, unfortunately. I wonder how impractical it would be to require all package maintainers to have 2FA enabled?

    The maintainer whose account was compromised had reused their npm password on several other sites and did not have two-factor authentication enabled on their npm account.

    This is just going to keep happening until something changes, unfortunately. I wonder how impractical it would be to require all package maintainers to have 2FA enabled?

    3 votes