[sorahn]

If you can just point at the github registry, and run `npm publish`, does that really solve the problem?

NPM's major problem is there's no official link between the package and the repo, any code/branch can be published, and unless I'm missing something, this doesn't really solve that issue.

[vesinisa]

OTOH GitHub is already in the position to require that only accounts that have 2-factor auth enabled can publish to public repositories. You can already require on organization level that only users who have 2FA enabled can be members of the org, which is great feature for orgs that host private code on GitHub.

AFAIK most cases where npm etc. have been compromised are scenarios where maintainer of a popular package re-used a password, and the password became compromised in some unrelated hack. Other attack vectors (compromising access tokens on maintainer's computer, compromising 2FA, compromising a git repo) really are a notch harder.

Even if these hacks are not the fault of npm per se, they make them look bad, and looking bad security-wise is really really something you don't want to happen to you when your whole business model is founded on user trust (public package repo).

[michaelsbradley]

There can be a link, if you prefer to write your dependencies down that way in package.json. See Git URLs¹ and GitHub URLs².

There are some challenges, though. If the repository requires a build step to derive a package from it then the author has to provide the proper package.json lifecycle hooks, e.g. a prepare script. Also, there's presently no git/hub-install support for a package nested inside a monorepo.

¹ https://docs.npmjs.com/files/package.json#git-urls-as-depend...

² https://docs.npmjs.com/files/package.json#github-urls

[andreineculau]

Not big challenges though.

A simple tool like https://github.com/andreineculau/npm-publish-git does the job (it's regularly used and tested within my current company TobiiPro https://github.com/tobiipro).

We publish npm packages to git tags that get installed exactly the same as packages received from a registry, no build step necessary.