Comment by throwitaway1123
2 years ago
> A secured registry is long overdue, where every release gets an audit report verifying the code and authorship of a new release.
Microsoft did exactly that (since they own both NPM and Github) by allowing you to verify the provenance of NPM packages built using Github Actions [1]. It's not required for all packages though. They've also started requiring all "high impact" packages to use two factor authentication [2].
[1] https://github.blog/security/supply-chain-security/introduci...
[2] https://github.blog/changelog/2022-11-01-high-impact-package...
No comments yet
Contribute on Hacker News ↗