To avoid LeftPad 3.0 they're going to have to add some sort of signed capabilities manifest to restrict API access for these narrow domain packages. Then attackers would limited to targeting those with network privileges.

▲

lrvick 3 days ago | parent [-]

Package signing of any kind was ruled out in 2013 for nonsensical reasons https://github.com/npm/npm/pull/4016

▲

____tom____ 2 days ago | parent | next [-]

Time to revisit, clearly.

	▲	tmpfs 2 days ago \| parent [-]
		Agreed, more than time to revisit. I have stopped using npm entirely because of their cavalier attitude to security. Code signing could and should have been implemented years ago. It's not a panacea but just part of defense in depth. I can't trust npm whatsoever to do the right thing at this point.

▲

thunderfork 3 days ago | parent | prev [-]

[dead]