DEV Community

Cover image for Securely Automating npm publish with the New npm Automation Tokens
Tierney Cyren
Tierney Cyren

Posted on

Securely Automating npm publish with the New npm Automation Tokens

Today, npm has now shipped automation tokens 🎉

Previously, if you wanted to automatically publish an npm module from CI/CD you had a choice - have 2FA turned off and allow publishing via a token or have 2FA turned on and build a custom tool to allow you to input a 2FA code when your CI/CD is trying to publish.

This was a challenging system since it made users choose between smooth DX or security. This has been impactful historically - there have been cases (for example, the eslint-scope incident) where maintainers' accounts were hijacked and impactful modules were compromised since they didn't have 2FA for user publishes turned on.

Since 2FA on publish was introduced, folks in the ecosystem have been asking for the ability to have some way to automatically publish modules from CI while also having 2FA for user-publishes turned on.

Today, the npm team delivered one of the proposed solutions: automation tokens.

What are Automation Tokens?

Automation tokens are effectively publish tokens that a user can create to publish a module from an automated process. They skip the OTP (one-time password) check and ship it.

Say, for example, that you're the maintainer of a module called good-first-issue. Instead of having to pull good-first-issue locally and publish after opening up your 2FA app and typing in the OTP, you could instead set up your favorite CI - GitHub Actions CI, CircleCI, Travis, or whatever else - to automatically publish whenever certain conditions are met. Semantic Release is a pretty wonderful example of this kind of automation.

This has the obvious benefit of streamlining workflows and reducing maintainer burden. It also helps reduce risk - in pulling down and publishing or having to build a custom publishing system both have their own additional levels of potential risk. With automation tokens, we can now pretty easily just ship code where we build it.

How can I Use Automation Tokens?

To publish with Automation Tokens today, you'll want to do a few things to get going.

First, to actually publish to a module with an automation token, you'll need to update the module's Settings. Specifically, you'll need to change the module's Publishing Access from whatever it was previously (either Two-factor authentication is not required or Require two-factor authentication to publish) to the new option, Require two-factor authentication or automation tokens.

Screenshot of npm's access page, showing off the new option

Once you've updated that, you'll now be able to use Automation Tokens for publishing that module.

To get an automation token, you'll want to head over to your user settings. From that, you'll open up the Access Tokens page and then create a new token. When you start the token creation flow, you'll have the option to select Automation. Once you do, click Generate Token and you'll be shown the token once - copy it, and you're all set.

Looking Forward

There are a handful of use cases where this current implementation is extremely useful - specifically, my perspective is that it's most useful where you're an individual maintainer with a limited set of projects.

That said, this is the first step in the right direction for more granular controls for all kinds of maintainers to securely manage their modules with a good DX while being as secure as possible. In speaking with the npm team, they're exploring further iteration in this space that I'm super excited for.

Top comments (5)

Collapse
 
yoursunny profile image
Junxiao Shi

What prevents an automation token from being stolen and used maliciously without 2FA?

Collapse
 
mithasalman profile image
Salman

Someone pls suggest how secure this is? A malicious dependency could steal envs from process.env. Any way to avoid that?

Collapse
 
appsparkler profile image
Akash

I guess you can create your own private-repository and point to it with encoded access-token.

The encoded token can be decoded and publish to NPM from your private-repository.

Collapse
 
luisenmarroquin profile image
Luis Marroquin

How can I use it to publish a package?

Collapse
 
appsparkler profile image
Akash • Edited

I managed to figure this out after some research. I've also written a blog post about it.

Basically:

Step 1

Get a publish token from your account : docs.npmjs.com/creating-and-viewin...

Step 2

Add .npmrc file to your project root with the following contents by replacing your-access-token with the token you got in step 1.

//registry.npmjs.org/:_authToken=your-access-token
Enter fullscreen mode Exit fullscreen mode

Source : docs.npmjs.com/using-private-packa...

Step 3

Bump the version and publish the package

npm version patch # to bump the version.  You can use major, premajor, minor, preminor, patch or prepatch here depending on your changes.
npm publish --access public # to publish the package
Enter fullscreen mode Exit fullscreen mode