We started a discussion around the idea of using Trusted Publishing (ref), this issue is a more formal continuation of my comment:
Regarding trusted Publishing we did a great research and concluded that:
We believe Trusted Publishing represents the future, but it’s not yet ready for adoption in critical projects, as in its current state it wouldn’t prevent attacks such as Shai-Hulud and other recent ones.
https://openjsf.org/blog/publishing-securely-on-npm
Mostly due the missing step for 2FA confirming the publication. This will be fixed by npm once staged publishing is deployed (no ETA yet): https://github.blog/security/supply-chain-security/strengthening-supply-chain-security-preparing-for-the-next-malware-campaign/
In Express we are trying to do a CI version with 2FA (under discussion: expressjs/discussions#443), so we can probably adopt it if we want to avoid local publication due bus factor
cc: @webpack/security-wg
Next steps
Context
We started a discussion around the idea of using Trusted Publishing (ref), this issue is a more formal continuation of my comment:
Regarding trusted Publishing we did a great research and concluded that:
Mostly due the missing step for 2FA confirming the publication. This will be fixed by npm once staged publishing is deployed (no ETA yet): https://github.blog/security/supply-chain-security/strengthening-supply-chain-security-preparing-for-the-next-malware-campaign/
In Express we are trying to do a CI version with 2FA (under discussion: expressjs/discussions#443), so we can probably adopt it if we want to avoid local publication due bus factor
cc: @webpack/security-wg
Next steps
Context