Publish the cli to NPM registry

[Elias-Serneels]

It would be great if we could install (and update!) the cli using NPM.

This:
npx @dashlane/cli
Or:
npm i -g @dashlane/cli

instead of this:

brew install typescript
git clone git@github.com:Dashlane/dashlane-cli.git
cd dashlane-cli
npm run build
npm link
npm install

[Mikescops]

Hello,

Thanks for the suggestion, actually we already thought about it but there is a security constraints that prevents us to do so.
In fact, when using the keychain (on any of the OSes) the owner of the secrets is the process that created them, and when you use the npm package with node directly, node is the owner which means that any other node process can grab the secret from the keychain.

I believe that's a security issue, which we mitigate when the application is packaged in its own binary.

I'll leave the thread open because I agree that would be a nice to have.

[Mikescops]

So after reviewing this option again with the security team at Dashlane, we think that running the CLI with the nodejs process causes a risk when used with the keychain. As it is the default and most common behaviour, we won't publish on npmjs the resulting package.

On the other hand, we are going to provide a homebrew package (with compatibility on both macos and linux x64/arm64).

Hope this covers your use cases.