Continuous enforcement of 2FA for publishing packages

[achrinza]

All NPM packages under our purview were manually reviewed to ensure that 2FA was enforced for publishing these packages. Currently, this is being done manually by reviewing each package individually through npmjs.com.

There is currently no way to do an organisation-wide 2FA publishing enforcement nor a way to programmatically retrieve the current packages' 2FA publishing requirement, though there seems to be some future plans.

From https://github.blog/2021-12-07-enrolling-npm-publishers-enhanced-login-verification-two-factor-authentication-enforcement/:

We are currently working on a variety of enhancements to the registry to make 2FA adoption easier for developers, including:
...

• Better tools for understanding 2FA adoption in npm orgs

However, we can still programmatically enable 2FA for package publishing using libnpmsaccess through a scheduled GitHub Action Workflow. While a "mitigative" solution, it reduces the attack window in case of an accidental disabling of this publishing requirement.

This proposed solution does not:

• Prevent disabling of 2FA publishing requirement
• Provide visibility when a 2FA publishing requirement is disabled