Comment by tomaytotomato

4 days ago

Could npm adopt a reverse domain naming system similar to Java's for Maven libraries?

com.foo.bar

That would require domain verification, but it would add significant developer friction.

Also mandatory Dune reference:

"Bless the maker and his water"

3 comments

tomaytotomato

KomoD 4 days ago

I don't see how this solves the problem?

chasd00 4 days ago

Some MFA requirement to publish a new version of the package would be a good idea. In me experience releasing a new version of software is a big enough deal that the product owner is on hand to authorize the release via a separate device no matter how automated the pipeline is.

ramon156 4 days ago

I was thinking something similar to cargo-audit, because domain names don't really fix anything here