| ▲ | exitb 2 hours ago | |
Well, if that actually works, it should be part of the release process, before the packages get placed onto the regular channels. | ||
| ▲ | blm126 2 hours ago | parent [-] | |
I think the key right now is that these are semi-automated scanning processes. Right now, companies like step security selectively publish. So, in order for a hacking group to find out if their malware is detected or not, they have to burn access to a useful package. None of this is to say I think Microsoft shouldn't be doing something as part of the release process on NPM. However, there is real value in giving more independent third parties a window to do things semi-manually. | ||