What would be a security measure that should only be selectively enforced?
Higher cost (“Mythos” vs static code analysis) vulnerability scanning prior to successful merge to main branch or deployment as an artifact. As risk increases (popular code->greater exposure potential), increase automated, programmatic scrutiny on subject code to lower residual risk.
(application security and vulnerability management is a component of my work in financial services, thoughts and opinions always my own)
There are few ideas which come to my mind, some might be far fetched, taking NPM as an example.
- Restricting packages with similar names as of popular packages restrict expres because express is a popular package.
- Imposing stricter 2FA checks on accounts of authors of these packages.
- Making sure that published packages don't have vulnerabilities and clear npm audit.
- Alerts in case these packages contain a dependency which is new / relatively new.