| ▲ | kaelwd 5 days ago | |
NPM could also flag releases that don't have a corresponding github tag (for packages that are hosted on github), most of these attacks are publishing directly to NPM without any git changes. | ||
| ▲ | mdaniel 4 days ago | parent [-] | |
I would love this for every dependency manager, and double extra bonus for "the tag NOW isn't the tag from when the dep was published" But, this coming from GitHub, who believe that sliding "v1" tags on random action repos is how one ends up with https://news.ycombinator.com/item?id=43367987 | ||