Skip to content

Lux v0.34.2

Published: at 12:00 AM

The Lux logo

It’s time for a new update post again! Lux is a modern package manager for the Lua programming language. It has undergone many exciting changes and it’s now speedier, more secure and more fully featured than ever.

This update brings a long-awaited feature that only recently got implemented by the luarocks.org site maintainers — 2FA. In this post we dissect how to set up 2FA in Lux and why it’s important.

Why 2FA?

Over the past year there have been a plethora of attacks on popular package registries, especially npm. These attacks hijack API tokens to impersonate authors of popular packages and inject packages used by millions of people with malware.

Because no registry is safe, the maintainers of luarocks.org have taken it upon themselves to implement two-factor authentication into their site. This means that every time you push a package, you need to supply an extra 6-digit code generated by an authenticator app like Aegis, Authy or any other TOTP application.

Setting up 2FA

We encourage absolutely everyone to set up 2FA on their account. Head over to https://luarocks.org/settings/two-factor-auth for instructions. Scan the QR code with your favourite authenticator app and, congratulations, you’re now protected against impersonation attacks!

Using 2FA in Lux

When uploading a package, open your authenticator app and grab the code. Then, simply add --tfa-code to your upload command:

lx upload --tfa-code "384562"

And voila, everything works just as it would earlier!

2FA in CI

If you’re using a CI/CD engine that utilizes Lux for uploads, we have an alternative route for you. When setting up 2FA on luarocks.org, copy the secret key shown under the QR code.

Next, set up an environment variable called LUAROCKS_2FA_SECRET and paste the secret key there — now Lux will automatically generate a 2FA code for you each time, no need to supply a key ever again!

NOTE: We only recommend doing this for CI environments. If the secret ever gets leaked, an attacker can impersonate and freely generate 2FA keys on your behalf. Be careful!

Extras

Apart from this highly anticipated feature, we’ve also implemented many other changes along the way:

  1. Workspace support - Lux now supports multiple projects in the same folder (workspace)!
  2. The Lux Lua API is now shipped with type definitions for rich LSP diagnostics.
  3. lx fmt is now more predictable and can format individual files provided by the user instead of the entire project each time.
  4. lx dist flat-archive is the first step towards making Lua projects trivial to package and distribute to others — all without them needing to clone or install a single thing.

Conclusion

We’ve been very excited to announce the recent changes to Lux with all of you! Lua continues to be a highly underrated language, even though it’s used in numerous places. Let’s give it the ecosystem it deserves. Cheers 🍻.