Joachim Viide
@jviide.iki.fi
https://jviide.iki.fi • A cruel and incompetent charlatan.
We encourage everyone to migrate from using npm publish tokens to trusted publisher!
github.com/e18e/ecosyst...
github.com/e18e/ecosyst...
September 17, 2025 at 9:45 PM
Pay special attention to "Automation" and "Publish" token types, as they aren't scoped and allow writes. They also never expire.
"Granular" ones are trickier. They MAY be read-only or tightly scoped. It's hard to tell, as the token page doesn't show this info. Their lifetimes can also be very long.
"Granular" ones are trickier. They MAY be read-only or tightly scoped. It's hard to tell, as the token page doesn't show this info. Their lifetimes can also be very long.
September 17, 2025 at 8:01 PM
Pay special attention to "Automation" and "Publish" token types, as they aren't scoped and allow writes. They also never expire.
"Granular" ones are trickier. They MAY be read-only or tightly scoped. It's hard to tell, as the token page doesn't show this info. Their lifetimes can also be very long.
"Granular" ones are trickier. They MAY be read-only or tightly scoped. It's hard to tell, as the token page doesn't show this info. Their lifetimes can also be very long.
Turns out that @skk.moe already opened an issue along these lines a while back: github.com/pnpm/pnpm/is...
[Feature Request] An option to forbidden packages to upgrade from a attested version to a unattested version · Issue #8889 · pnpm/pnpm
Contribution I'd be willing to implement this feature (contributing guide) Describe the user story Rspack recently encountered a token theft attack where it seems that the npm classic token they us...
github.com
September 13, 2025 at 11:52 AM
Turns out that @skk.moe already opened an issue along these lines a while back: github.com/pnpm/pnpm/is...
FWIW, reported this to them via HackerOne yesterday. Got a prompt response back that this is a known low risk issue and that they don't consider this to present a significant security risk.
September 10, 2025 at 1:24 PM
FWIW, reported this to them via HackerOne yesterday. Got a prompt response back that this is a known low risk issue and that they don't consider this to present a significant security risk.
Reposted by Joachim Viide
