Comment by yourapostasy

GitHub back in September already published their roadmap of mitigations to NPM supply chain attacks:

https://github.blog/security/supply-chain-security/our-plan-...

I'm guessing no one yet wants to spend the money it takes for centralized, trusted testing where the test harnesses employ sandboxing and default-deny installs, Deterministic Simulated Testing (DST), or other techniques. And the sheer scale of NPM package modifications per week makes human in the loop-based defense daunting, to the point that only a small "gold standard" subset of packages that has a more reasonable volume of changes might be the only palatable alternative.

What are the thoughts of those deep inside the intersection of NPM and cybersecurity?