Remix.run Logo
ashu1461 2 hours ago

This makes me think whether npm (and other registries) should apply security requirements based on ecosystem impact. Example a package having millions of downloads can have special security measures enforced.

madeofpalk 2 hours ago | parent [-]

What would be a security measure that should only be selectively enforced?

toomuchtodo 2 hours ago | parent [-]

Higher cost (“Mythos” vs static code analysis) vulnerability scanning prior to successful merge to main branch or deployment as an artifact. As risk increases (popular code->greater exposure potential), increase automated, programmatic scrutiny on subject code to lower residual risk.

(application security and vulnerability management is a component of my work in financial services, thoughts and opinions always my own)