[davidpfarrell]

Wow so couldn't said security co's establish their own registry that we could point to instead and packages would only get updated after they reviewed and approved them?

I mean I'd prolly be okay paying yearly fee for access to such a registry.

[davidshepherd7]

IIUC chainguard is this, but only for python, java, and docker images so far. https://www.chainguard.dev/libraries

[getcrunk]

I think it would be a no brainer for npm to offer this but idk why they haven’t

[phatfish]

Probably because they would expose themselves legally? Not sure what the current situation is exactly, but I assume it's "at your own risk".