Remix clone Hacker News

new | show | ask | jobs Github

▲

progbits 8 hours ago

Why do you keep using token auth? This is unacceptable negligence these days.

NPM supports GitHub workflow OIDC and you can make that required, disabling all token access.

▲

timgl 8 hours ago | parent | next [-]

Yep, we are moving to workflow OIDC as the next step in recovery.

▲

junon 6 hours ago | parent | prev | next [-]

OIDC is not a silver bullet either and has its own set of vectors to consider too. If it works for your org model then great, but it doesn't solve every common scenario.

	▲	woodruffw 5 hours ago \| parent [-]
		Trusted Publishing addresses the vector here, which is arbitrary persistence and delayed use of credentials by attackers. You're right that it's not a silver bullet (anything claiming to be one is almost certainly a financially induced lie), but it eliminates/foreshortens the attack staging window significantly.

▲

huflungdung 7 hours ago | parent | prev [-]

[dead]