NPM Permissions #481
moonmeister
started this conversation in
RFC
NPM Permissions
#481
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
We've had a hiccup. Historically, the Gatsby UC, when taking over a plugin, has left its founding maintainers on the npm package.
I did this for a couple of reasons, but mostly, I didn't see the harm, and it provided more "bus factor." These 'write' permissions, though, also allow package maintainers to remove Gatsby UC's access to publish packages. That's not good! We're in the midst of resolving such a situation with one of our packages.
I believe this instance was an accident, but it means we're delayed in releasing some package updates. I have now removed all other package owners. The Gatsby UC needs to be able to release updates if necessary. Additionally, we need a source of truth for packages, and that should be the Gatsby UC and our build pipelines. We need to improve the "bus factor" by increasing who can merge code, not by who can publish code. (NOTE: Because of our build pipelines If you can merge code you CAN publish code)
If anyone has donated a plugin and has concerns, please reach out so we can chat and find a solution.
Thanks
AJ
Beta Was this translation helpful? Give feedback.
All reactions