| It's definitely a nuanced issue. > ● Automatically expire login tokens I don't see how this helps the issue at hand; a worm could spread very quickly, requiring just a single publish from each freshly infected user. > ● Require 2 factor auth for publish operations This seems very reasonable, and the easiest to implement. It also has the nice effect of being a captcha to the publish operation, which gives it some of the gravitas it deserves in an open ecosystem like npm. > ● Help users be logged out during install operations This may break far more packages than might be considered acceptable. > ● pre-install/post-install scripts should require user to accept or refuse. Presumably this would be unnecessary with 2FA for each publish operation. > ● make shrinkwrap by default (and fix all the issues with it) so that running npm install doesn't use different versions when used over time. Doesn't do much to address the issue at hand. A static dependency tree doesn't mean benevolent dependencies. > ● make updating a version an explicit decision via npm upgrade Same issues as shrinkwrap. |
2FA still doesn't mean you can trust the install script. Not running scripts automatically gives a chance to audit before they run.
And even with 2FA a worm could spread: It could manipulate the local npm installation so whenever you want to upload a package it will modify it during the publishing process giving you a 2nd-factor-request right when you expect it.
The only way to prevent that I can come up quickly is to over a chance to verify the package between signing (which npm doesn't support) and publishing.