Google spares npm users’ blushes with Wombat Dressing Room

By Team Devclass
-
Google spares npm users’ blushes with Wombat Dressing Room

Google has promised to take some of the pain – or at least some of the risk – out of publishing to npm, with the open sourcing of its Wombat Dressing Room npm registry proxy.

The cloud giant’s Benjamin Coe said it had been using Wombat Dressing Room to manage Google Cloud client libraries “for over a year now in our fully automated library release process.”

The aim is to better automate the process of publishing to npm, and maintain good security practices. One good security practice is of course 2FA. Unfortunately, says Coe, “It’s difficult to automate the step of entering a code off a cellphone. As a result, folks often opt to turn off 2FA in their automation.” Which of course is not a good practice.

“With Wombat Dressing Room, rather than an individual configuring two factor authentication in an authenticator app, 2FA is managed by a shared proxy server. Publications are then directed at the Wombat Dressing Room proxy,” he continues.

Or, as the services GitHub page puts it, “You publish to Wombat Dressing Room, and it enforces additional security rules, before redirecting to registry.npmjs.org….Publishes are made from a single npm account with 2FA enabled (a bot account).” In addition, “Publishes can be made using the npm CLI, by making Wombat Dressing Room the default registry.”

Unsurprisingly, using the service requires an npm account, and even less surprisingly, a Google Cloud Platform account to deploy to and a GitHub OAuth Application to perform authentication and authorization.

The Wombat Dressing Room proxy can provide per-package publication tokens, which “are tied to a single GitHub repository, which the user generating the token must have push permissions for.”

That way, writes Coe, “If a per-package publication token is leaked, an attacker can only hijack the single package that the token is associated with.”

The service can also generate tokens with a 24 hour lifespan. Alternatively, users can opt for GitHub releases as 2FA, where “a package can only be published to npm if a GitHub release with a corresponding tag is found on GitHub.”

You can find full details of how to set up the service here.

AWS combines "building block" blueprints with CodeCatalyst for rapid project creation including DevO...
Atlassian takes another step toward full DevOps automation
GitHub autofix progresses to public beta: insecure code corrected with AI, but only for enterprise
Secret leakage in public GitHub repositories increasing, claims new report
Test launch of TEA open source reward project clouded by repository spam attack 
From Docker to Dagger: Solomon Hykes on modernisation of the DevOps pipeline
Docker introduces Build Cloud for accelerated local development
Enterprises struggle with Agile methodology, reports long-standing survey of practitioners
Spotlight on GitHub self-hosted runners again as researcher demonstrates attack on PyTorch code
PyPy moves from Mercurial, says 'open source has become synonymous with GitHub'
Where next for Jamstack? Netlify survey avoids the word, highlights rise of Astro
Docker buys AtomicJar to integrate container-based test automation