Hacker News new | comments | ask | show | jobs | submit login

What worries me is that this is possible at all. npm stores npmjs.org credentials in a repository-local dotfile, and this is how packages are submitted?!

PHP's package repository, Packagist, doesn't have this problem because it's in the browser. You never enter or store any credentials on the command-line, you click a button on the Packagist site and it tracks your already-published GitHub repository.

Like most dotfiles it starts in the current directory and works its way up. Unless npm as changed, the default location for .npmrc is your home directory. You have to actively store the file in the repo.

This is what I'm not understanding about this. How in the world do you make the mistake of storing credential files in a repo? And this seems to be beyond people not making template files for configs. Then again, I don't know anything about NodeJS packaging.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact