Question: Private repositories and organizations packages

[rafael-lua]

Hello, amazing tool!

If I may ask: is it only for public repositories/open-source projects, or it can be used for private libs as well? For example, with GitHub package registry org settings and permissions. If yes, does that mean that pkg.pr.new URLs also respect things like personal tokens and stuff?

[logitimate]

Curious about this as well. Would love to use it for some private projects.

[kc0tlh]

@Aslemammad & @apai4 to add some context: @logitimate is using StackBlitz Enterprise SaaS with a private Github Enterprise repository and npm registry. He needs to understand the security implications here:

• Where are the packages that pkg.pr.new hosted?
• Is there any special setup needed to make this work with Github Enterprise?

[TheBeachMaster]

I have been able to use this tool for our private packages (Github Package Registry); there are currently no guardrails and thus - as far as I know - if anyone happens to know your private org and private package repo name they can generally deduce the URL and brute-force the package version - since they're versioned incrementally based on the PR number - and install your package.

There's a lot of IFs and Whens for this to happen(and you will be dealing with bigger security issues to get to that point) but proper security guarantees would be appreciated.

[Aslemammad]

We're looking into this! Thank you all for sharing this valuable information and I'd love to hear even more!

If anyone would like to invite me to their private packages workspace (I know this might now work for most companies) so I see how it's being done in the real world, I'd really appreciate it so I have an overview of what we should implement at the end.

I really want to come up with a solution that's applicable to a company workspace rather than being built on top of assumptions (since I never worked seriously that much in a company).