|GitHub Adds Granular Access To npm|
|Written by Kay Ewbank|
|Monday, 12 December 2022|
The granular access tokens are designed to help maintainers protect against data breaches by limiting the impact of an accidental or deliberate misuse of a token.
The feature extends the existing support in npm for automation tokens. These can be used to publish to any packages that the owner of the token has permission to. However, until now you couldn't create tokens with lower levels of privilege, which is what the new granular access tokens are designed for. Developers can now create tokens that can publish only to a limited set of packages, or that are limited in scopes. The tokens can also be used to limit npm API access based on allowed IP ranges. A one year expiry period has also been added, and GitHub says that since less than 10 percent of the tokens in npm are being regularly used, this leaves a lot of npm tokens unnecessarily active, which increases the potential for such a long-lived token to eventually be compromised.
The other addition expands the existing npm code explorer from its current state where it was a subscription option. Until now, developers had to download an npm package to inspect its contents, which could cause problems if the package contained malicious or otherwise detrimental code which could be deployed on your system through malicious install scripts.
The npm code explorer lets developers view the contents of a package directly from the npm portal. It provides syntax highlighting for .js, .ts, .md, .json, and .css, and also can be used to view the content of any prior version of a package.
Both features are available now.
or email your comment to: email@example.com
|Last Updated ( Monday, 12 December 2022 )|