Hacker News new | ask | show | jobs
by sheetjs 1478 days ago
Hi, random developer that somehow ended up in the top 500 but didn't have 2FA turned on (https://www.npmjs.com/package/xlsx)! npm inc invalidated all of our authentication tokens in mid April and we have been unable to sign in via the web interface since then. Assumably the same fate befalls other random devs.
5 comments
tedmiston 1478 days ago
> npm inc invalidated all of our authentication tokens in mid April and we have been unable to sign in via the web interface since then

This sucks, but invalidating the pre-2FA tokens is unavoidable if their goal is to tighten security of top packages. I don't know how this went down behind the scenes, but hopefully they announced giving you some long enough window like 60–90 days before the old tokens were invalidated.

However, what does invalidating your old tokens have to do with signing into the web app that uses your username and password?

link
Arnavion 1478 days ago
The real reason seems to be:

https://github.com/SheetJS/sheetjs/issues/2667#issuecomment-... (archived: https://web.archive.org/web/20220510110516/https://github.co... )

>Due to ongoing legal matters between SheetJS LLC and npm, Inc. (which will not be discussed here), it did not make sense to continue using the public npm registry for distribution.

link
jwilk 1477 days ago
The real reason for what?
link
norman784 1477 days ago
In their comment[0] they said:

> npm inc invalidated all of our authentication tokens in mid April and we have been unable to sign in via the web interface since then.

[0] https://news.ycombinator.com/item?id=31575690

link
protomyth 1478 days ago
Did they tell your users that they locked out the developers? Uhm.... I kinda of expected some mediation or a step-by-step, but that just a dumpster fire solution.
link
smoldesu 1478 days ago
Sounds like a pretty bad policy if that inhibits your ability to respond to critical security flaws in your package.
link
_ofdw 1478 days ago
The npm ecosystem has been shown over and over again to be a dysfunctional tire fire.

I feel like at this point continuing to publish on npm is kind of a "that's what you get" situation.

link
tbeseda 1477 days ago
I don't know that this is the whole story in your specific case, sheetjs...
link
stefan_ 1478 days ago
Haha, wow. A classic NPM implementation!
link