re: How do we improve security in the npm ecosystem? VIEW POST

re: Aaron Patterson @tenderlove I feel like a good business would be offering access to an NPM / RubyGems server that only hosts packages that are si...

I definitely think digitally signed packages would be a good way to go. I think having a central repository for packages may eventually cause issues because considerations like who actually owns the hosted data, who can rightfully access the data, does charging to access the packages violate the licenses, etc? Maybe just a service that doesn't digital signing and authentication, so each module can be checked before being loaded, or create some sort of warning message should the check of the digital signature fails.

code of conduct - report abuse