Hacker News new | ask | show | jobs
by insanitybit 12 days ago
You realize that "dependency cooldowns" as a popular concept are extremely new, right? npm manages the installation of dependencies for millions upon millions of users across the globe.

> It could add a Hardened Security program where (1) package maintainers could opt into a program where multi-factor confirmation by maintainers is required on every publish, even those triggered by CI;

Great, they did this.

> And so much more.

This shit takes time. Yes, they should have done this on day 1. Acting like any of this is easy to retrofit is just nuts though.
1 comments
j1elo 12 days ago
What is being said is that a new flag like '--minimum-release-age' would take, realistically speaking, tops 4 hours to implement (without AI assistance), plus a good 1 week of thorough testing, and maybe a 1 month period of progressive deployment. Come on, let's give it a total of 1.5 months, for good measure.

Of course this should have been started since the beginning of the major recent stream of supply chain attacks, circa 2024 or 2025... but even assuming the most backwards calendaring possible -starting after the last bug compromise (Axios, on March 31st)- that new flag should have already been shipped a couple weeks ago.

Shit does take time, but where there's a will there's a way, and nobody buys that this shit would take that much time.

link
insanitybit 12 days ago
Have you ever managed software as critical and ubiquitous as npm?
link
j1elo 12 days ago
Not infra, but final product. I know, corporations move slow. But when there is a critical issue, and an actual desire to solve it from someone in a suit, suddenly turns out that the cogs were always able to speed up and move fast...
link