|
|
|
|
|
|
by serial_dev
203 days ago
|
|
|
It could have eliminated an attack surface where they steal the credentials from the CI/CD... ...But then you if I understand NPM publishing well, you would still have the credentials on someone's computer laying around? I guess you could always revoke the tokens after publishing? It's all balancing convenience and security, with some options being bad at both? |
|
|