|
|
|
|
|
|
by micaksica
3175 days ago
|
|
|
I'm curious what the percentage of npm publishers that have this toggled on is, and I wish that was available data. First, in terms of all packages, and then of top 1000 packages. I'll wildly guess <0.5% of all packages, and <1% of top 1000. You don't get 2FA without the beta client right now anyway. It's of no surprise to anyone that follows Node.js security at this stage that the third party dependency chain is really its biggest weak link. Jordan Wright did some good research a couple of months ago on Node dependency trees and malicious packages that's worth a read: https://duo.com/blog/hunting-malicious-npm-packages |
|
|
I know we're tracking this data and I bet a follow up post will be written at some point once some numbers are available. As you say, I expect 2fa will see wide adoption as soon as a stable version lands in the upstream Node.