[Bug]: too many collaborators on npm package

[benmccann]

Bug Description

I can't count how many people have access to publish @zapier/zapier-sdk, which is probably a big driver of how it was compromised.

You should reduce the number of tokens with publish access. One way to do this would be to setup a tool like changesets to handle publishing so that only the tool has access rather than so many individual accounts

I would also recommend setting up OIDC publishing and package provenance

Reproduction Steps

Visit https://www.npmjs.com/package/@zapier/zapier-sdk. Look at collaborators section

Zapier Platform version

all

Node.js version

all

Your Operating System

No response

npm/yarn version

No response

App ID

No response

More Details

No response

[Paul0Net0]

Hey @benmccann Thank you for raising this issue/feedback and helping improve the Zapier Developer Platform.

I've passed this along to the developer/security team responsible for the NPM package for further review.

I would also recommend using our Developer Support form to request further updates, report new issues, or request new features in the future. That will ensure your enquiry is quickly handled by the right team.

Thanks again!