[nurumaik]

How much would it cost to just hire a team that will manually review every commit to every popular npm package and its dependencies? Is it possible to make it a working business? Seems like it will cost much less than total damage done by supply chain attacks

[kylecazar]

There are companies that continuously rebuild popular libraries from source in an isolated environment and serve it to you -- which would eliminate certain types of distribution attack (Chainguard, for example).

I don't know if anyone's doing it at the individual commit level as a business.