Add per-package permissions for publisher members

[passsy]

When using a verified publisher, all members automatically have permission to publish all packages owned by that publisher. There's no way to grant a new maintainer access to only specific packages. This increases the risk of supply chain attacks.

This creates a security risk: if I want to add a contributor to help maintain one of my packages, I must either:

1. Add them to my publisher, giving them access to all my packages
2. Not use a verified publisher and manage uploaders per-package instead

For publishers with many packages, this all-or-nothing model is problematic. Recent attacks on npm package authors proves the relevance.

Proposed Solution

Add per-package permission controls within publishers. For example:

• Publisher admins can assign members to specific packages
• Members only see and can publish to packages they've been assigned to
• A "full access" option could remain for trusted members who need access to everything

Use Case

I maintain multiple packages under my verified publisher. I want to onboard a new maintainer for one specific package without exposing my other packages to potential unauthorized publishes (whether accidental or malicious).

Current Workaround

The only workaround is to not transfer packages to a verified publisher and instead manage uploaders individually per package. However, this loses the benefits of verified publishers (organization branding, centralized trust, etc.).

[sigurdm]

We indeed have a limited access control. Maybe one day we implement something more advanced.

What you can do currently is to only have a few admins in the publisher - and use "automated publishing" to do the actual publishing. And then do the fine-grained permissions in github, or wherever you publish from.