“We found a 500 package limit for GitHub packages besides organization administrators. As a result, only those with organizational administration privileges can install all packages,” Bellware wrote in a LinkedIn post. “Those who do not have these privileges can only install the first 498 packages. Of course, new packages represent new work. A large portion of the work done by the team is stopped on its track. It is understandably intoxicating cost.”
After trying various jobs, Bellware’s team realized that the most practical solution would violate the least privilege: “Our only option is to give each contributor to our 25-plus team organization management privileges. This is a shocking sense of security for this,” Bellware wrote.
What makes the situation worse is the initial interaction of Brightworks with support for GitHub, which has been owned by Microsoft since 2018.
