re: How do we improve security in the npm ecosystem? VIEW POST

TOP OF THREAD FULL DISCUSSION
re: I think there are a lot of facets to this, but I think it would be interesting if there were a crowdsourced auditing/vetting system associated with...
 

I can imagine an automated audit which might be useful. To ensure that the minified version of a package is the same as the normal version. Setting an easy way for anyone to verify this change sounds straight-forward, although perhaps not easy.

I see a direct parallel between trusting binaries and trusting minified source. For those who are not familiar with Ken Thompson's paper "Reflections on Trusting Trust", I highly recommend reading it:

Reflections on Trusting Trust
Ken Thompson
Communication of the ACM, Vol. 27, No. 8, August 1984
dl.acm.org/citation.cfm?id=358210

code of conduct - report abuse