Comment by zubilent

3 months ago

Is the npm package ecosystem fixable at this point? It seems to be flawed by design.

Is there a way to not accept any package version less than X months old? It's not ideal because malicious changes may still have gone undetected in that time span.

Time to deploy AI to automatically inspect packages for suspect changes.

1 comment

zubilent

Reply
mattstir  3 months ago

It's a tricky thing because what if the update fixes a critical vulnerability? Then you'd be stuck on the exploitable version for X months longer