|
|
|
|
|
|
by spankalee
276 days ago
|
|
|
The supply chain infrastructure needs to stop being naive and allowing for insecure publishing. - npm should require 2FA disallow tokens for publishing. This is an option, but it should be a requirement. - npm should require using a trusted publisher and provenance for package with over 100k downloads a week and their dependencies. - Github should require a 2FA step for automated publishing - npm should add a cool down period where if won't install brand new packages without a flag - npm should stop running postinstall scripts. - npm should have an option to not install packages without provenance. |
|
|