The amount of extra work all this creates for developers will depend on how many packages are involved and their organization’s size. For larger organizations, assuming they haven’t already done the legwork, this could involve auditing hundreds of packages across multiple teams. Classic tokens in these packages will have to be revoked, and a process will have to be put in place to rotate granular tokens.
Not everyone is convinced that the reform goes far enough, however. Last month, the OpenJS Foundation criticized the maturity of the tokenless OIDC security model that GitHub wants developers to move towards in the long term. Given that attackers often compromise packages after breaking into developer accounts, more emphasis should be put on multi-factor authentication (MFA) security for those accounts, the OpenJS Foundation said.
Currently, npm doesn’t mandate MFA on smaller developer accounts, and OIDC itself imposes no additional MFA stage when publishing packages. In fact, in the case of automated workflows, there is no way to add MFA to the process. And there’s also the issue that some forms of MFA are prone to man-in-the-middle attacks. This means that any authentication method used needs to be able to resist such techniques.
