Automation and security? You can have both!

Google has open-sourced Wombat Dressing Room, a security tool used when handling npm publications

Google has open-sourced an npm publishing tool for heightened security across organizations’ client libraries.

The tool, Wombat Dressing Room, aims to reduce the security risks associated with the automation of npm publishing.

“On my team, a small number of developers manage over 75 Node.js libraries,” Benjamin Coe, developer engineer at Google, said in an announcement on Friday (January 10).

“We see automation as key to making this possible,” he said.

Npm (Node Package Manager) is an open source package repository and command-line interface used by Node.js developers to quickly publish and distribute code and updates to packages.


READ MORE The complete package: Everything you need to know about npm security


Two-factor authentication (2FA) is offered by npm as a way to protect the channels between developer consoles and distribution, and prevent threat actors from being able to hijack packages for their own purposes.

But developers all too often make a trade-off between convenience and security, Coe said.

“It’s difficult to automate the step of entering a code off a cellphone,” he said. “As a result, folks often opt to turn off 2FA.”

This is why Google created Wombat Dressing Room, Coe said, which is used by the Google Cloud Client Libraries team to manage code publishing, while implementing 2FA on behalf of the user.

“With Wombat Dressing Room, rather than an individual configuring two-factor authentication in an authenticator app, 2FA is managed by a shared proxy server,” Coe said.

Wombat Dressing Room runs on Google App Engine and is now available on GitHub under an Apache 2.0 license.

Publications are also routed with authentication tokens generated and tied to a single repository on GitHub.

Therefore, should a per-package publication token end up compromised, only one package can be hijacked.

“It’s my hope that this will help other folks in the community, simplify and automate their release process, while minimizing the attack surface of their libraries,” Coe said.


YOU MIGHT ALSO LIKE New npm scanning tool sniffs out malicious code