AI + ML

All the world's a stage, and all the packages are merely players

GitHub's npm package registry has rolled out a publishing approval step to prevent the distribution of compromised packages before they can poison the software supply chain.

Modern software development relies on imported bundles of code known as packages (and sometimes libraries or modules). In the past decade or so, miscreants have focused on gaining access to the accounts of package maintainers. Subverting a widely used package offers a fast track to malware distribution.

Last December, amid the Shai-Hulud 2.0 campaign that compromised software packages, GitHub described a series of planned security measures intended to harden security for npm package publishers.

One of the measures, staged publishing, has now been implemented. GitHub on Wednesday merged npm stage into npm CLI (v11.15.0) and has updated the registry documentation that describes the process.

Staged publishing might also be called gated publishing – it requires a project maintainer to approve changes to a package that has been staged for release. It's been under discussion since 2020.

"Instead of publishing directly with npm publish, you can submit packages to a staging area with npm stage publish," the documentation explains. "A maintainer must then review and explicitly approve the staged package — with two-factor authentication (2FA) via the CLI or npmjs.com — before it becomes publicly available."

This process should have particular value for automated workflows, which typically don't include a way to authorize via 2FA. 

Automated workflows often rely on tokens for authentication, but these can be copied and stolen.

Tokens that remain valid for long periods of time become attractive targets for cyberattackers. That's why GitHub did away with long-lived classic tokens and encouraged the use of short-lived session tokens and permission-limited access tokens for automation. 

GitHub's discontinuation of classic tokens hasn't gone all that well because short-lived tokens tend to expire at inconvenient times – no one likes having to regenerate tokens every 90 days or less and then go through the reconfiguration process.

Staged publishing should make it easier for developers to set up maintainable workflows without burdensome re-authentication rituals. It gives package publishers the option to stage their package via automation and to delay the 2FA approval for publishing at a later date. 

GitHub offers trusted publishing as a way to establish trust between npm and the developer's CI/CD provider using OpenID Connect (OIDC) authentication. The OIDC mechanism still doesn't work when trying to publish a package for the first time, but together with staged publishing, the software supply chain looks a bit more defensible – so long as developers avail themselves of these tools. ®