Comment by GuB-42

> Idk how you truly solve this without code audits

Idk either, but code audits are definitely a solution. Take Debian packages for instance. Debian has package maintainers, and while they may no do full audits, they will at least test it before publishing. In addition, it doesn't get in the "stable" release before an extensive testing phase. Security patches are usually backported.

Or do like with the Apple App Store, where you don't get to publish anything unreviewed.

These are not perfect solution, there is no such thing as a perfect solution. For instance, Debian is famously lagging behind in versions, and the App Store will sometimes reject your app for no good reason, while being expensive. In every case there is some barrier to entry, a slow process, and it costs time and money, but that mitigates some of the issues.

Npm seems to have very little safeguards, has a culture of always taking the latest version, and as a result is often victim to supply-chain attacks. I don't think it is just popularity. Debian is really popular too, but AFAIK, it doesn't have this problem, in fact, one of the best known supply-chain attack is the xz library, and Debian didn't fall to it.