[giancarlostoro]

Interesting has a 24hr cooldown before trusting package updates and a no-trust option for trusting downgrades given all the npm hacks and issues lately, smart move. I wonder if there's better ways to protect against this.

[LoganDark]

Same here; I hope the vulnerability discovery process evolves from "letting somebody else find out first". There are tons of vendors that scan the ecosystem, but I'd love something that works automatically at the point of install