re: How do we improve security in the npm ecosystem? VIEW POST

  • Author verification (npm)
    • This could be the solution already, if the verification process can't be tempered with.
  • Automatic major version bumps on maintainer change (npm)
  • Transparent minification (npm/github)
    • This could also be selfmade, something like a .travis.yml, that makes clear how the package needs to be built.
    • After building the package there should be a file hash that can be compared to the one npm pack produces.
  • Code signing (npm)
  • Mandatory two-factor-authentication (npm/github)
  • Locking package names after deletion / Allow only scoped packages (npm)
    • To prevent stuff like this.
  • Code should be sandboxed by default, no access to network and file system without asking for permission (node.js)
    • Examples: Android apps or Chrome extensions
    • This is afaik a major design feature in deno (See point 4 in the readme), the new TypeScript runtime by Ryan Dahl, the inventor of node.js
code of conduct - report abuse