Comment by eranation
4 hours ago
Interesting idea, but there are so many cases of solo maintainers.
I think that npm can have its own cooldown and automated security scan. Socket.dev, StepSecurity both close a gap here by spending tokens to scan new popular packages. Whether they do it for marketing or out of the goodness of their heart, is irrelevant. They don’t charge for this service, and it’s something I’d expect Microsoft (who owns GitHub who owns npm) to do.
No comments yet
Contribute on Hacker News ↗