What are other security risks associated with using package managers for internal companies libraries besides 3rd party trust
Assuming you have full trust in your package manager i.e. pip or npm (not to be compromised and leak your packages). And you have full trust in your developers to always install the correct packages.
i.e.
npm publish --access restricted
Whenever developers publish a package
npm install @yourcompany/somepackage
{
"dependencies": {
"@yourcompany/somepackage": "^1.0.0"
}
}
Whenever your developers install a package
What other risks do you run when using public repositories for internal packages if you published them privately and under a company scope and registered namespace so that nobody but your developers have read/write permissions.
Also, the internal packages are published as private packages on the public repository Uses access control and permissions.)
npm access grant read-write your-org:developers @yourcompany/somepackage
Is the only risk the fact that you are posting company confidential libraries on some 3rd parties cloud or are there any other risks involved?
