Wow so couldn't said security co's establish their own registry that we could point to instead and packages would only get updated after they reviewed and approved them?

I mean I'd prolly be okay paying yearly fee for access to such a registry.

▲

davidshepherd7 5 days ago | parent | next [-]

IIUC chainguard is this, but only for python, java, and docker images so far. https://www.chainguard.dev/libraries

▲

getcrunk 5 days ago | parent | prev [-]

I think it would be a no brainer for npm to offer this but idk why they haven’t

	▲	phatfish 5 days ago \| parent [-]
		Probably because they would expose themselves legally? Not sure what the current situation is exactly, but I assume it's "at your own risk".