logoalt Hacker News

ashu1461today at 12:25 AM1 replyview on HN

There are few ideas which come to my mind, some might be far fetched, taking NPM as an example.

- Restricting packages with similar names as of popular packages restrict expres because express is a popular package.

- Imposing stricter 2FA checks on accounts of authors of these packages.

- Making sure that published packages don't have vulnerabilities and clear npm audit.

- Alerts in case these packages contain a dependency which is new / relatively new.


Replies

0cf8612b2e1etoday at 1:52 AM

Pre-publish to official security orgs. Does not get released into the wild until k of N auditors agree.