Comment by kevin_thibedeau
2 months ago
To avoid LeftPad 3.0 they're going to have to add some sort of signed capabilities manifest to restrict API access for these narrow domain packages. Then attackers would limited to targeting those with network privileges.
Package signing of any kind was ruled out in 2013 for nonsensical reasons https://github.com/npm/npm/pull/4016
Time to revisit, clearly.
Agreed, more than time to revisit. I have stopped using npm entirely because of their cavalier attitude to security.
Code signing could and should have been implemented years ago. It's not a panacea but just part of defense in depth.
I can't trust npm whatsoever to do the right thing at this point.
[dead]