top | item 46032774 (no title) timgl | 3 months ago The packages were published using a compromised key directly, not through our ci/cd. We rolled the key, and published a new clean version from our repo through our CI/CD: https://github.com/PostHog/posthog-js/actions/runs/196303581... discuss order hn newest progbits|3 months ago Why do you keep using token auth? This is unacceptable negligence these days.NPM supports GitHub workflow OIDC and you can make that required, disabling all token access. timgl|3 months ago Yep, we are moving to workflow OIDC as the next step in recovery. junon|3 months ago OIDC is not a silver bullet either and has its own set of vectors to consider too. If it works for your org model then great, but it doesn't solve every common scenario. load replies (1) huflungdung|3 months ago [deleted]
progbits|3 months ago Why do you keep using token auth? This is unacceptable negligence these days.NPM supports GitHub workflow OIDC and you can make that required, disabling all token access. timgl|3 months ago Yep, we are moving to workflow OIDC as the next step in recovery. junon|3 months ago OIDC is not a silver bullet either and has its own set of vectors to consider too. If it works for your org model then great, but it doesn't solve every common scenario. load replies (1) huflungdung|3 months ago [deleted]
junon|3 months ago OIDC is not a silver bullet either and has its own set of vectors to consider too. If it works for your org model then great, but it doesn't solve every common scenario. load replies (1)
progbits|3 months ago
NPM supports GitHub workflow OIDC and you can make that required, disabling all token access.
timgl|3 months ago
junon|3 months ago
huflungdung|3 months ago
[deleted]