“We discovered a 500-package limit for GitHub packages for any user other than an organizational admin. As a result, only people with organizational admin privileges can install all packages,” Bellware wrote in a LinkedIn post. “Those without those privileges can only install the first 498 packages. New packages, of course, represent new work. New work, which a significant share of what the team is doing, is stopped in its tracks. The cost of this is understandably eye-watering.”
After trying various work-arounds, Bellware’s team realized the most practical solution would violate least privilege: “Our only option is to give organizational admin privileges to every single contributor on our team of 25+ people. The security implications of this are shocking,” Bellware wrote.
Making the situation worse was BrightWorks’ initial interactions with support for GitHub, which has been owned by Microsoft since 2018.
