Karsten Schmidt @toxi@mastodon.thi.ng
Public

So am I understanding this correctly that the upcoming NPM authentication and token changes mean our only publishing workflow options henceforth are either switching to OICD Trusted Publishing[1] via GitHub Actions or using granular access tokens. The problem with the former is that I wanted to migrate my projects to Codeberg soon (which isn't supported). The problem with the latter is that granular tokens are unsuitable for publishing packages from a large monorepo, since these tokens are limited to 50 packages only (in addition to time limits)[2].

My thi.ng/umbrella repo contains 210 packages, so in order to publish them (sometimes all of them will need to be updated) I'd have to first generate multiple tokens and then also keep track how many times each token has been used. This adds a lot of extra work and complexity to my monorepo publishing tool (thi.ng/monopub). I understand the need for improved NPM security, but as so often, these changes are just poorly thought through (IMO) and continuously add new workloads and complexity on maintainers...

[1] docs.npmjs.com/trusted-publish
[2] docs.npmjs.com/about-access-to

thi.ng/umbrella

thi.ngthi.ng/umbrella

Karsten Schmidt @toxi@mastodon.thi.ng
Public

So to make it all even "better": To use Trusted Publishing, one also has to manually setup a GitHub Actions integration on npmjs.org for every single package individually! This is just mind boggling and infeasible and means I'd have to manually fill in a form 200+ times (for that many packages) before I could even properly test this new publishing workflow.

Other people who're maintaining thousands of packages (e.g. DefinitilyTyped, Fontsource) have chimed in here too: github.com/orgs/community/disc

Let's hope this will be addressed!

Hello npm community! 馃憢 We're excited to announce that we're bringing OpenID Connect (OIDC) authentication to the npm registry! This new feature will enable more secure, token-less authentication fo...

馃殌 Coming Soon: OpenID Connect (OIDC) Support for npm Registry 路 community 路 Discussion #161015

Hello npm community! 馃憢 We're excited to announce that we're bringing OpenID Connect (OIDC) authentication to the npm registry! This new feature will enable more secure, token-less authentication fo...

github.comGitHub

0
0
0

If you have a fediverse account, you can quote this note from your own instance. Search https://mastodon.thi.ng/users/toxi/statuses/115407399527840779 on your instance and quote it. (Note that quoting is not supported in Mastodon.)