| ▲ | prmph 5 hours ago | |
There is no easy solution to these problems. The solutions that are effective also involve actually doing work, as developers, library authors, and package managers. But no, we want as much "convenience" as possible, so the issues continue. Developers and package authors should use a lockfile, pin their dependencies, be frugal about adding dependencies, and put any dependencies they do add through a basic inspection at least, checking what dependencies they also use, their code and tests quality, etc. Package managers should enforce namespacing for ALL packages, should improve their publishing security, and should probably have an opt-in verified program for the most important packages. Doing these will go a long way to ameliorate these supply chain attacks. | ||
| ▲ | venturecruelty 9 minutes ago | parent | next [-] | |
There absolutely is an easy solution to these problems, and Linux has been doing it forever: package maintainers. Don't treat your repository like a superfund site, and it won't fill up with garbage. | ||
| ▲ | Yokohiii 3 hours ago | parent | prev [-] | |
I think if you generally depend on npm packages, being frugal is hard, because every random package works against you. Last time my perception was also that publishing sec is a weak point. If at least heavily used packages would be forced to do manual security steps for publishing, it would help quite a bit as long the measures a safe. | ||