为了保护你的包,作为包发布者,你可以要求对包具有写入权限的每个人都启用双重身份验证 (2FA)。这将要求用户在发布包时除了提供登录令牌外还提供 2FA 凭据。欲了解更多信息,请参阅“配置双重身份验证”。

To protect your packages, as a package publisher, you can require everyone who has write access to a package to have two-factor authentication (2FA) enabled. This will require that users provide 2FA credentials in addition to their login token when they publish the package. For more information, see "Configuring two-factor authentication".

你还可以选择允许使用双重身份验证或 自动化令牌 进行发布。这允许你在 CI/CD 工作流中配置自动化令牌,但需要来自交互式发布的双重身份验证。

You may also choose to allow publishing with either two-factor authentication or with automation tokens. This lets you configure automation tokens in a CI/CD workflow, but requires two-factor authentication from interactive publishes.

配置双重身份验证

Configuring two-factor authentication

  1. 在 npm“登录”页面上,输入您的帐户详细信息并单击登录 Screenshot of npm login dialog
  2. 导航到你希望需要第二个因素来发布或修改设置的包。

    Navigate to the package on which you want to require a second factor to publish or modify settings.

  3. 单击“设置”。

    Click Settings.

    Screenshot showing the admin tab on a package page
  4. 在 "发布权限" 下,选择发布包的要求。

    Under "Publishing access", select the requirements to publish a package.

    1. 不需要双重身份验证 使用此选项,维护者可以发布包或更改包设置,无论是否启用了双重身份验证。这是最不安全的设置。

      Dont require two-factor authentication
      With this option, a maintainer can publish a package or change the package settings whether they have two-factor authentication enabled or not. This is the least secure setting.

    2. 需要双重身份验证或自动化令牌或精细访问令牌使用此选项,维护人员必须为其账户启用双重身份验证。如果他们使用 npm publish 命令以交互方式发布包,则在执行发布时将要求他们输入 2FA 凭据。但是,维护者也可以创建 自动化令牌粒度访问令牌 并使用它来发布。使用令牌时不需要第二个因素,这使其对持续集成和持续部署工作流很有用。

      Require two-factor authentication or automation tokens or granular access token
      With this option, maintainers must have two-factor authentication enabled for their account. If they publish a package interactively, using the npm publish command, they will be required to enter 2FA credentials when they perform the publish. However, maintainers may also create an automation token or a granular access token and use that to publish. A second factor is not required when using a token, making it useful for continuous integration and continuous deployment workflows.

    3. 需要双重身份验证并不允许令牌使用此选项,维护者必须为其账户启用双重身份验证,并且他们必须以交互方式发布。维护者在执行发布时需要输入 2FA 凭据。自动化令牌和粒度访问令牌不能用于发布包。

      Require two-factor authentication and disallow tokens
      With this option, a maintainer must have two-factor authentication enabled for their account, and they must publish interactively. Maintainers will be required to enter 2FA credentials when they perform the publish. Automation tokens and granular access tokens cannot be used to publish packages.

    Screenshot showing the require two-factor option for a package
  5. 单击更新包设置。

    Click Update Package Settings.

npm 中文网 - 粤ICP备13048890号