DEV Community

Discussion on: Securely Automating npm publish with the New npm Automation Tokens

Collapse
yoursunny profile image
Junxiao Shi

What prevents an automation token from being stolen and used maliciously without 2FA?

Collapse
mithasalman profile image
Salman

Someone pls suggest how secure this is? A malicious dependency could steal envs from process.env. Any way to avoid that?