UNPKG

use-context-hook

Version:

React hook for selective context subscriptions - Prevent unnecessary re-renders with Redux-like selectors for React Context

github.com/HussnainQuresshi/use-context-hook

HussnainQuresshi/use-context-hook

151 lines (106 loc) 5.14 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# Security Policy ## npm Publishing Security - Updated December 2025 This project has been updated to comply with [npm's new security requirements](https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/) announced September 29, 2025. ### Key Changes **Classic npm tokens are NO LONGER USED** - All classic tokens were sunset by npm in November 2025 **GitHub Actions uses Trusted Publishers (OIDC)** - No long-lived tokens in CI/CD **Local publishing requires short-lived granular tokens** - Maximum 90-day expiration **WebAuthn/Passkeys recommended** - TOTP being phased out --- ## Publishing Methods ### 🤖 Automated Publishing via GitHub Actions (Recommended) **Status:** Workflow created at `.github/workflows/publish.yml` This project uses **npm Trusted Publishing (OIDC)** for secure, token-free publishing from GitHub Actions. #### How it works: 1. Push a version tag (e.g., `v2.0.6`) 2. GitHub Actions automatically builds, tests, and publishes 3. No manual token management required 4. Includes provenance attestation for supply chain security #### Required one-time setup on npmjs.com: 1. **Enable Trusted Publishing:** - Go to https://www.npmjs.com/package/use-context-hook/access - Under "Publishing access", click "Configure trusted publishers" - Add GitHub as a trusted publisher: - **Provider:** GitHub - **Repository owner:** HussnainQuresshi - **Repository name:** use-context-hook - **Workflow name:** publish.yml - **Environment name:** (leave blank) 2. **Enable 2FA with WebAuthn/Passkeys:** - Go to https://www.npmjs.com/settings/~/tfa - If using TOTP, migrate to WebAuthn/passkeys - Add at least one hardware key or passkey #### To publish a new version: ```bash # Update version in package.json npm version patch # or minor, major # Push the tag git push && git push --tags # GitHub Actions handles the rest! ``` --- ### [Local] Manual Local Publishing (Alternative) If you need to publish manually (e.g., from your local machine), follow these guidelines: #### WARNING: IMPORTANT: Use only short-lived granular tokens 1. **Generate a new granular access token** (NOT classic): - Go to https://www.npmjs.com/settings/~/tokens - Click "Generate New Token" → "Granular Access Token" - **Name:** `use-context-hook-local-publish-[DATE]` - **Expiration:** Maximum 90 days (7 days recommended for CI/CD) - **Packages and scopes:** - Select "Only select packages and scopes" - Choose `use-context-hook` - Permission: **Read and write** - Save the token securely (password manager recommended) 2. **Configure npm authentication:** ```bash # Login with your granular token npm login # Or set token directly (replace TOKEN with your actual token) npm config set //registry.npmjs.org/:_authToken=TOKEN ``` 3. **Publish:** ```bash npm run build npm test npm publish --access public ``` 4. **Security best practices:** - **NEVER** commit tokens to git - Use a password manager to store tokens - Rotate tokens every 30-90 days - Delete tokens after use if one-time - Enable WebAuthn/passkeys on your npm account --- ## .npmrc Configuration **DO NOT commit authentication tokens to git!** If you need a local `.npmrc` file for configuration, create it manually: ```bash # Example .npmrc (authentication should be done via npm login) registry=https://registry.npmjs.org/ ``` See `.npmrc.example` for a safe template. The actual `.npmrc` file is git-ignored. --- ## Security Checklist for Maintainers - [ ] Configure Trusted Publishing on npmjs.com (see instructions above) - [ ] Migrate from TOTP to WebAuthn/passkeys for 2FA - [ ] Delete any old classic npm tokens (revoked by npm in November 2025) - [ ] If using granular tokens locally, ensure they expire within 90 days - [ ] Verify `.npmrc` is in `.gitignore` and never committed - [ ] Review GitHub Actions workflow permissions are minimal (`id-token: write`, `contents: read`) --- ## Token Security Timeline (npm Platform Changes) - **September 29, 2025:** Announcement of security changes - **Early October 2025:** Token lifetime limits took effect (max 90 days) - **Mid-November 2025:** Classic tokens revoked and disabled - **Ongoing:** TOTP being phased out in favor of WebAuthn/passkeys **Reference:** https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/ --- ## Reporting Security Issues If you discover a security vulnerability in this package, please email the maintainer directly rather than opening a public issue. --- ## Additional Resources - [npm Trusted Publishers Documentation](https://docs.npmjs.com/trusted-publishers) - [npm Granular Access Tokens](https://docs.npmjs.com/about-access-tokens#granular-access-tokens) - [Configuring Two-Factor Authentication](https://docs.npmjs.com/configuring-two-factor-authentication) - [npm Community Discussion on Security Changes](https://github.com/orgs/community/discussions/174507)