[QUESTION] Possibility of auth token to leak when keeping .npmrc in dotfiles repository

[kuon]

What / Why

I keep my .npmrc in my public "dotfiles" repository.

Today I noticed that after login to npm to push a package that the auth token was added to that file. I nearly pushed it to my public dotfile repository, but hopefully I did notice it before committing.

After a quick github search, I found dozen of public .npmrc with auth token in them. I didn't test any of them, but it seems to be a security problem.

I think security token should be kept separate from configuration file.

References

• Related to Move _authToken from .npmrc to a separate file npm#17812 and [FEATURE] Split authentication from .npmrc to separate file #1010

[ljharb]

That's not a reasonable file to keep in your dotfiles.

[kuon]

I beg to differ, it's a configuration file, like all rc file it is perfectly reasonable to keep in a dotfille repository.

The related issue I linked has a clear explanation of the separation between configuration and authentication.

[ljharb]

Except that since day one, it's contained auth data, and config files do occasionally have credentials in them.

[kuon]

Then it's bad practice from day one, there are thousands of auth token scattered online because of this, why aren't you even considering addressing it? This is not the first time this issue is brought to your attention.

[ljharb]

To be clear, I don't work at npm nor maintain this repo; I'm just saying that moving the auth info into a separate file won't solve the root problem, which is that you simply can't naively add dotfiles into a dotfiles repo without reading the docs to determine if there could be credentials in it.

[kuon]

To be clear, I don't work at npm nor maintain this repo; I'm just saying that moving the auth info into a separate file won't solve the root problem, which is that you simply can't naively add dotfiles into a dotfiles repo without reading the docs to determine if there could be credentials in it.

Well, on some level I agree with that. You have to be careful of what you commit to your public repository.

But my point is that this can be a security issue for the npm ecosystem, and I think it should be addressed.

The main problem being that there are many valid arguments towards modifying .npmrc manually with your configuration, and it can make sense to keep this configuration in a repository. But, npm will silently add the auth token to that file, even if you "hand crafted" it yourself. Then it can be very easy to overlook this and commit the file.

Hopefully, I did notice and didn't commit my token, but I nearly did, and I can see situations where I would not have noticed (file longer with comments, me being tired...).

I am not arguing about the best design or anything, I just think there is a possible security issue and npm can do something to reduce it. It won't prevent people from committing the credential file if they really want to but if it is located in a more appropriate place (like .cache/on linux), the risk of leaking the auth token would be reduced.

[ljharb]

Luckily, any committed npm token is automatically identified by github and invalidated, for a year or two now.

[kuon]

Luckily, any committed npm token is automatically identified by github and invalidated, for a year or two now.

Well, yeah, github did a good job with their tool. But this doesn't mean it shouldn't be addressed "upstream".

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.