ericclemmons / github-semantic-version

Automated semantic version releases powered by Github Issues.
MIT License
21 stars 8 forks source link

2fa #32

Closed hipstersmoothie closed 5 years ago

hipstersmoothie commented 6 years ago

Given the recent issues with nom and malicious token usage, it would be awesome if this library had the ability to use 2fa.

All it takes to get your nom token in a CI environment is to add the following to a package.json and opening a PR. The token will get logged for everyone to see and for an attacker to release a malicious version of your code.

“Postinstall”: “echo $NPM_TOKEN”

NPM has 2fa Authy for publishing, this prevent s the need to keep your NPM token secret. Cause you are the final say on whether a new version gets published. Maybe there could be an option to send the maintainer an email or text message prompting for the 2fa with code.