undefined | Better HN

0 pointsbrabel4mo ago0 comments

If anything people should use an older version of the packages. Your newest versions had just been compromised, why should anyone believe this time and next time it will be different?!

0 comments

timgl4mo ago

The packages were published using a compromised key directly, not through our ci/cd. We rolled the key, and published a new clean version from our repo through our CI/CD: https://github.com/PostHog/posthog-js/actions/runs/196303581...

progbits4mo ago

Why do you keep using token auth? This is unacceptable negligence these days.

NPM supports GitHub workflow OIDC and you can make that required, disabling all token access.

timgl4mo ago

Yep, we are moving to workflow OIDC as the next step in recovery.

junon4mo ago

OIDC is not a silver bullet either and has its own set of vectors to consider too. If it works for your org model then great, but it doesn't solve every common scenario.

1 more reply

j / k navigate · click thread line to collapse

0 pointsbrabel4mo ago0 comments

If anything people should use an older version of the packages. Your newest versions had just been compromised, why should anyone believe this time and next time it will be different?!

0 comments

timgl4mo ago

progbits4mo ago

Why do you keep using token auth? This is unacceptable negligence these days.

NPM supports GitHub workflow OIDC and you can make that required, disabling all token access.

timgl4mo ago

Yep, we are moving to workflow OIDC as the next step in recovery.

junon4mo ago

OIDC is not a silver bullet either and has its own set of vectors to consider too. If it works for your org model then great, but it doesn't solve every common scenario.

1 more reply

j / k navigate · click thread line to collapse