Have you tried contacting Github's security team?

[amacneil]

Since #271 is locked I can't comment. That issue has been open for 11 days and it seems you aren't making fast progress with NPM support.

Meanwhile, because you published the CVE, I'm getting a huge banner over top of my repo, plus a warning in the CLI every time I do a git push, because we have a vulnerable package. I'm not interested in installing this package from source, but I think you need to start making more noise with Github since I assume thousands of repos are getting the same banner and CLI warnings as we are.

Since this relates to a CVE, have you tried reaching out to Github's security team? I would think they might be able to build and publish this one release of the package themselves, thus resolving the CVE for everyone while you work out the correct channels to regain access to the package?

[karfau]

I locked that conversation because there is a related discussion: #270 , to enable people that want to only subscribe to updates can do that by following the issue.

There was an promising answer from github/npm today, so I hope to be able to finally resolve it.

But thanks for the idea of contacting github security team next time, it didn't occur to me.
Not sure it would be an option for them to rule over the access rights, just to publish some package, but would be worth a try.

[karfau]

@amacneil Just to let you know:
In the last response mentioned in #271 the npm/gihtub support says

I talked with the Trust & Safety team of GitHub today and they will take a look at this soon.

Is this what you were thinking of?

I also did some web search around a github security team or support, but didn't find anything specific. Do you have some specific contact form/mail address in mind that you would contact in a case like this?

[amacneil]

Yeah, Trust & Safety is probably the right place. I can't find any other contact details sorry.