Description
To fetch private npm packages, we need to write credentials in the .npmrc or specify them via environment variables. However, currently, it is recommended to use short-lived tokens as a countermeasure against credential leakage and not to leave credentials written in static files.This is a security feature supported not only by npm but also by Docker through a mechanism called credential helper.
By supporting this in npm, credentials will not be retained at the endpoint, significantly reducing the damage from leaks.
This feature is also supported by pnpm, a wrapper tool for npm, and it is recommended to apply it upstream in a compatible manner.
https://pnpm.io/npmrc#urltokenhelper
A token helper is an executable which outputs an auth token. This can be used in situations where the authToken is not a constant value but is something that refreshes regularly, where a script or other tool can use an existing refresh token to obtain a new access token.The configuration for the path to the helper must be an absolute path, with no arguments. In order to be secure, it is only permitted to set this value in the user .npmrc. Otherwise a project could place a value in a project's local .npmrc and run arbitrary executables.
Setting a token helper for the default registry:tokenHelper=/home/ivan/token-generatorSetting a token helper for the specified registry:
//registry.corp.com:tokenHelper=/home/ivan/token-generator
If you have any insights or recommendations regarding this feature request, please comment.
Thank you!
Activity