Comments (1)
victorb
commented on May 10, 2024
Hi @d4hines! Thanks for question and no worries that it's not specific to this project.
The current way of dealing with this, is as far as I know, only scanning packages with some for-profit service which has collaborated with the npm registry. This obviously only works finding issues that already been found before (ala blacklist).
My thinking around this issue is that there are two ways we can improve the current situation:
-
Offering a build-solution for packages, where instead of the current way where packages are built locally on the developers machine and then pushed to the registry, the source code gets read directly from the source, and the build happens on servers, then pushed to the registry. Then we can also serialize the build steps and run tests to see if the packages are actually reproducible.
-
Package signing MUST be used for package releasing. A recent issue happened in npm as a user account with compromised and the attacker managed to push code that the actual developer did not write. By requiring package signing, we authenticate that the package actually come from the author we think it should come from.
Both these thoughts are very young (see: underdeveloped) and might miss the mark.
I'm very eager to hear about other possible solutions. I think solution 1 would work very well, but does kind of set stop-wheels in 2, but we don't need 2 if we have 1.
from open-registry.
Related Issues (20)
- Let's decide on a roadmap HOT 2
- How is the Open-Registry project actually run right now? HOT 3
- Cache original metadata response without rewriting
- Suggestion: Additional Form of Funding (Mining Crypto) HOT 1
- Why is this written in Closure and not JavaScript? HOT 2
- Make sure 404s from registry.npmjs.org gets 404 response from open-registry
- To accept sponsorships or not? HOT 1
- Future upgrades for public dashboard
- Support more registries
- Fetching packages via dnslink HOT 1
- Implement Open Services Framework V1
- Production go-ipfs going bananas HOT 23
- avoid Open-Registry to kill connections coming from Bolivar
- FIXME, I fail.
- Is this usable as a fallback?
- Corrupted JSON on https://npm.open-registry.dev/wrappy URL HOT 3
- Registry is down - npm.open-registry.dev let's encrypt certificate expired yesterday HOT 3
- Using 3rd party software
- Code Analysis No more from scratch project
- npm.open-registry.dev serving malformed json for lodash HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from open-registry.