NPM package registry documentation recommends a practice that is insecure and can lead to leaked access tokens
Proposal
We had an incident where a team member leaked their personal access token while trying to learn how to work with packages in GitLab. They committed their personal access token to a public repository and someone from outside GitLab spotted the token and (thankfully) reported it to us.
I think that can be partially attributed to the fact that we recommend doing that in the documentation: https://docs.gitlab.com/ee/user/packages/npm_registry/#authenticate-with-a-ci-job-token
The way it's written right now, we suggest using a .npmrc
file with the hardcoded _authToken
and present using CI variables as an alternative. I think we should document how to do it with CI variables first and mention the .npmrc
way as potential alternative for working locally but also mention that this file should never be committed with a hardcoded _authToken
in it.