There are ways, but at a high level, I don't care. I hate how modern package managers have come to value author convenience over downstream user security.

▲

Hackbraten 5 days ago | parent | next [-]

Fair enough.

In the meantime, I'm trying to do my part through occasional random spot inspections when there's an update to a package, and encourage others to do the same for swarm coverage.

▲

whatevaa 4 days ago | parent | prev [-]

Ahh, the classic I don't care. What if other people don't care about your problems? What if both sides don't care about each other? What then?

	▲	rectang 4 days ago \| parent [-]
		We wait and see whether the supply chain attacks crescendo to a crisis and force NPM's hand. In the meantime I'm doing everything I can to avoid NPM and to uphold "just don't use the software if you don't like it"... but people like myself don't always have a choice.