You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks for the suggestion, actually we already thought about it but there is a security constraints that prevents us to do so.
In fact, when using the keychain (on any of the OSes) the owner of the secrets is the process that created them, and when you use the npm package with node directly, node is the owner which means that any other node process can grab the secret from the keychain.
I believe that's a security issue, which we mitigate when the application is packaged in its own binary.
I'll leave the thread open because I agree that would be a nice to have.
So after reviewing this option again with the security team at Dashlane, we think that running the CLI with the nodejs process causes a risk when used with the keychain. As it is the default and most common behaviour, we won't publish on npmjs the resulting package.
On the other hand, we are going to provide a homebrew package (with compatibility on both macos and linux x64/arm64).
It would be great if we could install (and update!) the cli using NPM.
This:
npx @dashlane/cli
Or:
npm i -g @dashlane/cli
instead of this:
The text was updated successfully, but these errors were encountered: