[make3]

theoretical question, do cooldowns still work if everyone has them?

[chillax]

Companies such as socket and safedep will still scan new packages and alert on malware (if they are able to detect it) so the packages are taken down before they pass your cool down

[cluckindan]

It’s kind of insane this doesn’t happen in the publish pipeline by default.

[charcircuit]

This is what serious software distribution platforms do. Developers may think that they are special and they would never install malware, but that's just not the case.

[ZiiS]

Less well maybe but yes. Security researchers still proactively test them, and the maintainer has a much better chance of catching it themselves.

[saghm]

I'd argue that we don't actually know if this is the case or not because we haven't yet gotten to that point. How do we know that security researchers won't just move to testing things later as well?

[enedil]

Because entire point of their work is to find the issues as fast as possible, and most importantly, before others.

[saghm]

You have a lot more faith than I do that companies paying security researchers will not try to cut corners by directing the researchers they employ or hire to look at stuff that they aren't even about to install.

[ffemac]

No, it will stop working. The whole point of min age is letting someone else taste the food before you, so you are not poisoned. (except maybe scanners but they can't detect everything and the payloads will highly likely to remain dormant when it detected it's within a scanning env).

BTW it will only get much worse because popular AI coding harness (e.g. OpenCode/KiloCode) will just download random npm packages in the background without you knowing. And the devs don't care.

[QuiEgo]

Kind of depends. If someone looses control of their credentials and notices someone using their account to post, it still might help.