re: How do we improve security in the npm ecosystem? VIEW POST

VIEW FULL DISCUSSION
 

Somebody in the thread suggested treating ownership changes as a major version bump. That seems worth exploring, although my gut feeling is that the only way it'd really work well is to make it part of the semver standard and have the registry automatically bump and republish on any addition to the collaborator/publisher list.

 

Yeah but then a smart attacker would just release an innocuous major version and then slip in the malware in the next minor one.

code of conduct - report abuse