Skip to content

Commit 3ab0472

Browse files
david-wiggsCopilot
david-wiggs
and
Copilot
authored
Update actions/ql/src/Security/CWE-798/NpmTokenInPublish.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
1 parent 4eab3af commit 3ab0472

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

actions/ql/src/Security/CWE-798/NpmTokenInPublish.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
## Overview
22

3-
The publish step sets `NODE_AUTH_TOKEN` (or `NPM_TOKEN`) from a repository secret. This is a long-lived credential that can be stolen and used to publish malicious versions from outside the CI/CD pipeline, as demonstrated by the axios@1.14.1 supply chain attack.
3+
The publish step sets `NODE_AUTH_TOKEN` (or `NPM_TOKEN`) from a GitHub Actions secret (`secrets.*`). This is a long-lived credential that can be stolen and used to publish malicious versions from outside the CI/CD pipeline, as demonstrated by the axios@1.14.1 supply chain attack.
44

55
## Recommendation
66

0 commit comments

Comments
 (0)