Installing from random npm repos is so sketchy with supply chain attacks.

Is there such a thing as a security audited open source distro kinda like some of the ultra old kernel versions RHEL carried for so long?

There is a market for “here are trailing versions of popular npm, cargo, etc libraries that go through some kind of audit and approval process”.

I’m not sure of the logistics of how it would work, but developers ripping random high churn libraries off the internet is completely crazy from a security perspective. But somehow it’s the norm outside of a small subset of massive tech companies.

Most big orgs just put in some kind of pass through proxy looking for known signatures and call it a day. I want stripped down functionality, real reviews, and just straight up banned libraries if they can’t find anything that passes.