| ▲ | mnahkies 5 days ago | |
Eh we got confused implementing this today. Basically we severed connection to the public npm registry completely earlier in the week whilst this worm plays out. Unfortunately there wasn't a way to do this without taking our cached "good" public packages down as well, so we later replicated the good cached packages into a new standalone private registry to be the new upstream. The bit that was not obvious in the moment but self evident once we realised is that the registry we're using took the copy time as the publish time, and therefore our new 2 week delay is rejecting the copied packages... So sample size of one, but the registry we're using is definitely using upload time not any metadata in the packages themselves. Good to know the filtering is working. | ||
| ▲ | Flimm 5 days ago | parent [-] | |
Thank you for the explanation. And thank you for your important work making the ecosystem more secure, for the benefit of 5.5 billion Internet users. | ||