Skip to content

[BUG] Creating a token with package/scope restrictions #158

New issue
New issue
Open
Open
[BUG] Creating a token with package/scope restrictions#158
Labels
Bugthing that needs fixingNeeds Triageneeds an initial review
@lgarron

Description

@lgarron
lgarron
opened on Nov 28, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Settings at https://www.npmjs.com/ allow you to create granular access tokens with the following settings:

  • CIDR IP range restrictions.
  • Package/scope restrictions.
  • Organization restrictions.

However, as far as I can tell, npm-profile only supports the first.

It's getting more and more common to publish packages from tags using GitHub actions, but I'm very reluctant to do this without restricting the tokens to certain packages. This means that a given repository can only cause limited damage to published packages if there is a severe bug or compromise. (Unpublishing is a partial solution, but it's no fun and can mess with package version numbering.) If I want to manage an organizations packages at scales like this, I do not want it to rely on manual UI operations, which are slow, unfun, error-prone. I had always assumed it was possible to generate automation tokens with restrictions but that I was somehow missing something. Looking at this repo, it seems I'm not missing anything and this is just not implemented yet. So I'm asking for it! 🤓

I'd be happy to draft a PR, but I presume this would require more work on the backend.

Expected Behavior

Feature parity with the web UI.

Steps To Reproduce

Environment

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds an initial review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions