github repo with only pre-compiled binaries coming from npmjs. These days anything from npmjs should already raise red flags, let alone something pre-compiled without sources.
Tbf the new trusted publishers goes a long way to improving this (not used by this package by the look of it). I migrated a few of my packages to it, and now:
- publishing with an API token is forbidden, must use the specified workflow w/ OIDC auth
- an explicit approval step in GitHub is required to run the publish workflow (you can also set a time delay, similar to time release safes)
Bro the source is locked and precompiled no body even the author cannot edit with malicious binaries. Thats y people used to publish binary to ensure stability. Instead of pulling from git each time.
- publishing with an API token is forbidden, must use the specified workflow w/ OIDC auth
- an explicit approval step in GitHub is required to run the publish workflow (you can also set a time delay, similar to time release safes)
- provenance is generated and published
Ref: https://docs.npmjs.com/trusted-publishers/