“We found a 500-package restrict for GitHub packages for any consumer apart from an organizational admin. Consequently, solely folks with organizational admin privileges can set up all packages,” Bellware wrote in a LinkedIn submit. “These with out these privileges can solely set up the primary 498 packages. New packages, in fact, symbolize new work. New work, which a big share of what the group is doing, is stopped in its tracks. The price of that is understandably eye-watering.”
After attempting numerous work-arounds, Bellware’s group realized essentially the most sensible resolution would violate least privilege: “Our solely possibility is to provide organizational admin privileges to each single contributor on our group of 25+ folks. The security implications of this are stunning,” Bellware wrote.
Making the state of affairs worse was BrightWorks’ preliminary interactions with assist for GitHub, which has been owned by Microsoft since 2018.
