Replies: 1 comment 1 reply
-
|
I think we want to do this, but it was not a high priority yet: |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Missed that issue - thanks! |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Pub allows publishing a package from GitHub actions. Once automated publishing is enabled and configured, it's still possible to manually
pub lisha package outside of actions. In my opinion, that isn't necessary for most packages since all versions would realistically be published through the automation.So I want to suggest an option to disable publishing without an OIDC token on a per-package basis. This would make pub.dev more resilient to the current npm situation, since stealing a long-lived pub token wouldn't enable an attacker to publish malicious versions of pub packages.
Beta Was this translation helpful? Give feedback.
All reactions