| ▲ | btown an hour ago | |||||||
There are so, so many things that NPM could do. It could require a 48 hour cooldown period on any package update that wants to add an install script that didn't have one before, and has a certain number of downloads. And it could publish the list of these so security researchers have an opportunity to scan them. It could add an optional key to package.json that allows someone to whitelist which packages can run install scripts. It could add a Hardened Security program where (1) package maintainers could opt into a program where multi-factor confirmation by maintainers is required on every publish, even those triggered by CI; (2) this hardened package status would be public, and (3) a developer could set a flag in their package.json that causes any npm action to act as if all non-hardened packages had frozen versions. And so much more. | ||||||||
| ▲ | insanitybit an hour ago | parent [-] | |||||||
You realize that "dependency cooldowns" as a popular concept are extremely new, right? npm manages the installation of dependencies for millions upon millions of users across the globe. > It could add a Hardened Security program where (1) package maintainers could opt into a program where multi-factor confirmation by maintainers is required on every publish, even those triggered by CI; Great, they did this. > And so much more. This shit takes time. Yes, they should have done this on day 1. Acting like any of this is easy to retrofit is just nuts though. | ||||||||
| ||||||||