[KolmogorovComp]

What would be the required budget to host an alternative registry? I'm surprised any GAFAM still hasn't stepped-in and started building their alternative, at least for NPM to up its game in order not to become completely irrelevant.

[ruined]

at amazon, they maintain a private internal registry of packages with approved licenses and audits. this has been in place for several years. i assume other big corps enforce similar policies

[a1o]

Do you know if they are using any product like JFrog for this or rolling their own?

[jon-wood]

This is Amazon, the company where the stuff they rolled their own now makes more money than the business it was rolled for: https://aws.amazon.com/codeartifact/

[philipwhiuk]

If your company not running an internal proxy at minimum you're stupid - you have no audit function for what libraries are being pulled.

[HDBaseT]

Not every company has tons of available funds to run 300 different internal services to "protect" itself.