[hobofan]

At least in the case of NPM (I don't know as much about the other ones): Doesn't that create a huge opportunity for hijacking attacks, where someone publishes a malicious NPM package in the default NPM registry under the scope identical to a Github organization/username?

[quickthrower2]

That is an interesting idea, playing on people's confusion as to where to install from. And someone is going to put the super terse `npm i -g mytool` on their README.md page (because it's all about the easy installs isn't it!) and forget to say "change your registry to github" and boom!

[hobofan]

Not even "someone". Exactly that command is available to copy to clipboard on the page of this new feature. Yeah, a small link to the instructions is printed underneath it, but most users - especially the ones that are new to package managers and the most vulnerable - will ignore that.

[IggleSniggle]

Maaaaaaybe. But I don’t think so in practice. At least not yet. Would probably be good to see package.json evolve to allow specification of registry. In my personal experience of using a private npm registry, you pay a lot more attention to package-lock. package.json could probably evolve to specify registry in a similar way.

[judge2020]

Considering the npm corporation had layoffs[0], and how they haven't merged any PRs from outside sources in a while (this may have changed, but here's an example[1]), They might not be stoked to reduce the friction of linking to other package repositories from withing package.json.

0: https://hub.packtpub.com/surprise-npm-layoffs-raise-question...

1: https://github.com/npm/cli/pull/125#issuecomment-474127391