Comment by serial_dev
3 days ago
It could have eliminated an attack surface where they steal the credentials from the CI/CD...
...But then you if I understand NPM publishing well, you would still have the credentials on someone's computer laying around? I guess you could always revoke the tokens after publishing? It's all balancing convenience and security, with some options being bad at both?
No comments yet
Contribute on Hacker News ↗