he/him 
npm enterprise customers have a larger range of login options. Unfortunate that we can't get the same for public use https://github.com/npm/npm/pull/13389 …
npm registry needs 2-factor for package publishing. Automatic CI publishing is bad for security.
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Aren't the secure keys of Travis enough?
-
Nope. Majority of people screw it up. People are still leaking tokens and have bad passwords. https://github.com/ChALkeR/notes/blob/master/Gathering-weak-npm-credentials.md …
- 1 more reply
New conversation -
-
-
2FA for all is happening. No ship date.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I'd disagree on CI publish. I'd prefer expiring auth tokens and refreshing requires 2FA, so ops can confirm that occasionally.
-
The endpoints have been there for ages, just ENOTIME to finish it off.
- 1 more reply
New conversation -
-
-
Agreed except would be nice to have a way for "nightly builds releases" automated still
- 3 more replies
New conversation -
-
-
Two factor would be good. But CD servers help instead of hurt. It's easier to impose consistent defenses on CD servers than on dev machines.
-
If it's a question of intentionality, require the HEAD of the branch to have a valid signature before CD is willing to deploy it.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.