I-GitHub isanda kukhipha izinguquko ezithile ku-NPM ecosystem ngokuphathelene nezinkinga zokuphepha eziye zavela futhi enye yakamuva kakhulu ukuthi abanye abahlaseli bakwazi ukulawula iphakheji ye-coa NPM futhi bakhulula izibuyekezo 2.0.3, 2.0.4, 2.1.1, 2.1.3 kanye ne-3.1.3. XNUMX, ehlanganisa izinguquko ezinonya.
Maqondana nalokhu kanye nokwanda kwezigameko zokuquleka kwamakhosombe yamaphrojekthi amakhulu kanye nokuphromotha ikhodi enonya Ngokufakwa ebucayini kwama-akhawunti kanjiniyela, i-GitHub yethula ukuqinisekiswa okunwetshiwe kwe-akhawunti.
Ngokuhlukana, kubanakekeli nabaphathi bamaphakheji e-NPM aziwa kakhulu angu-500, ukuqinisekiswa kwezinto ezimbili okuyisibopho kuzokwethulwa ekuqaleni konyaka ozayo.
Kusukela ngoDisemba 7, 2021 kuya kuJanuwari 4, 2022, bonke abanakekeli abanelungelo lokukhulula amaphakheji e-NPM, kodwa abangasebenzisi ukuqinisekiswa kwezinto ezimbili, bazodluliswa ukuze basebenzise ukuqinisekiswa okunwetshiwe kwe-akhawunti. Ukuqinisekisa okunwetshiwe kuhilela isidingo sokufaka ikhodi eyingqayizivele ethunyelwa nge-imeyili lapho uzama ukufaka isayithi le-npmjs.com noma ukwenza umsebenzi oqinisekisiwe kunsiza ye-npm.
Ukuqinisekisa okunwetshiwe akumiseleli kodwa kugcwalisa kuphela ukuqinisekiswa kwezinto ezimbili ozikhethelayo eyayitholakala ngaphambilini, edinga ukuqinisekiswa kwamagama ayimfihlo esikhathi esisodwa (TOTP). Ukuqinisekiswa kwe-imeyili okunwetshiwe akusebenzi uma ukuqinisekiswa kwezinto ezimbili kunikwe amandla. Kusukela ngo-February 1, 2022, inqubo yokudlulela ekugunyazweni okuyizici ezimbili kwamaphakheji e-NPM ayi-100 aziwa kakhulu anokuncika kakhulu izoqala.
Namuhla sethula ukuqinisekiswa kokungena okuthuthukisiwe ekubhaliseni kwe-npm, futhi sizoqala ukukhishwa okumangalisayo kwabanakekeli kusukela ngomhla ka-7 Disemba futhi kuphothulwe ngoJanuwari 4. Abanakekeli bokubhalisa be-Npm abakwazi ukufinyelela ukushicilela amaphakheji futhi abangenakho ukuqinisekiswa kwezinto ezimbili (2FA) okuvunyelwe bazothola i-imeyili enephasiwedi yesikhathi esisodwa (OTP) uma beqinisekisa ngewebhusayithi ye-npmjs.com noma i-Npm CLI.
Le OTP ethunyelwe nge-imeyili izodinga ukunikezwa ngaphezu kwephasiwedi yomsebenzisi ngaphambi kokuqinisekisa. Lesi sendlalelo esengeziwe sokuqinisekisa sisiza ukuvimbela ukuhlasela okuvamile kokudunwa kwe-akhawunti, okufana nokugcwaliswa kwemininingwane, okusebenzisa igama-mfihlo lomsebenzisi elasetshenziswa futhi elasetshenziswa. Kuhle ukuqaphela ukuthi Ukuqinisekiswa Okuthuthukisiwe Kokungena Ngemvume kuhloselwe ukuba isivikelo esiyisisekelo esingeziwe sabo bonke abashicileli. Akukona ukumiselela i-2FA, NIST 800-63B. Sikhuthaza abanakekeli ukuthi bakhethe ukuqinisekiswa kwe-2FA. Ngokwenza lokhu, ngeke udinge ukwenza ukuqinisekiswa kokungena okuthuthukisiwe.
Ngemuva kokuqeda ukufuduka kwekhulu lokuqala, ushintsho luzosatshalaliswa kumaphakheji we-NPM adume kakhulu angama-500. ngokwenani labancikile.
Ngokungeziwe ezinhlelweni ezitholakalayo njengamanje ezisekelwe kuhlelo lokusebenza ezisekelwe ezintweni ezimbili zokukhiqiza amaphasiwedi esikhathi esisodwa (Authy, Google Authenticator, FreeOTP, njll.), ngo-Ephreli 2022, bahlela ukwengeza amandla okusebenzisa okhiye behadiwe nezikena ze-biometric okunokusekelwa kwayo kwephrothokholi ye-WebAuthn, kanye nekhono lokubhalisa nokuphatha izici ezihlukahlukene zokuqinisekisa ezengeziwe.
Khumbula ukuthi ngokocwaningo olwenziwa ngo-2020, bangama-9.27% kuphela abaphathi bephakheji abasebenzisa ukuqinisekiswa kwezinto ezimbili ukuze bavikele ukufinyelela, futhi ku-13.37% yamacala, lapho kubhaliswa ama-akhawunti amasha, abathuthukisi bazame ukuphinda basebenzise amagama ayimfihlo onakalisiwe avela kumaphasiwedi aziwayo. .
Ngesikhathi sokuhlaziya amandla ephasiwedi esetshenzisiwe, U-12% wama-akhawunti ku-NPM afinyelelwe (13% wamaphakeji) ngenxa yokusetshenziswa kwamagama ayimfihlo aqagelekayo nangasho lutho njengokuthi "123456". Phakathi kwezinkinga kwakukhona ama-akhawunti abasebenzisi angu-4 amaphakheji athandwa kakhulu angu-20, ama-akhawunti angu-13 amaphakheji awo alandwa izikhathi ezingaphezu kwezigidi ezingu-50 ngenyanga, 40 - okulandwayo okungaphezu kwezigidi ezingu-10 ngenyanga kanye nama-282 okulandwayo okungaphezu kwesigidi esisodwa ngenyanga. Uma kucatshangelwa umthwalo wamamojula ochungechungeni lokuncika, ukufaka engozini ama-akhawunti angathenjwa kungase kuthinte kufikela ku-1% wawo wonke amamojula e-NPM esewonke.
Okokugcina Uma unesifiso sokwazi okwengeziwe ngakho, ungabheka imininingwane kunothi lokuqala Kulesi sixhumanisi esilandelayo.