The conclusion I'm coming to is that depending on packages which only have a single author is problematic. There are too many ways that packages published by one person can be compromised.
Packages which don't have approval and review by a reliable third party shouldn't be visible by default in a package manager.
That's a lot of entitlement for things you haven't paid a cent for; not just multiple authors but trusted 3rd parties; approval and review; etc.
I’ve done all those things myself (past ASF member where all that and more was SOP), so I realize what I’m asking for. It’s not crazy for authors of small packages to form small collectives and serve as each others’ trusted third parties.
In any case, if the choice is “frequent supply chain compromise, take it or leave it”, the answer is of course “leave it”.
If we need to pay for curated packages because the problems with NPM are endemic, that’s not unreasonable.
> It’s not crazy for authors of small packages to form small collectives and serve as each others’ trusted third parties.
Yeah, there's that insane entitlement. More demands for others' time and labor, plus the conflation between you demanding labor vs if people don't agree to your free labor demands, they're pro supply chain compromise.
In a general discussion forum, I have floated some approaches for hardening distribution which have proven effective in other communities. If NPM can harden their systems using other mechanisms, then more power to them.
>In any case, if the choice is “frequent supply chain compromise, take it or leave it”, the answer is of course “leave it”.
There's another choice: vendor your dependencies and manually review and vet updates. That solves all your problems, no need for "trusted third parties", you are the one vetting it, only need to trust yourself.
You just make a problem that a couple of thousand people have to a problem for a couple of million.
Fix it early so the user does not have to deal with the complexity is most often the best approach.
How many of your dependencies have 2nd level dependencies which have even deeper dependencies on ZX Utils, or NX (or left_pad.js)?
(right now I don't know the answer to that for the stuff I'm responsible for, but I'm in the process of researching and setting up and configuring the sort of tools needed to automate that.)
How are you supposed to gain collaborators for a project that no one can possibly find?
There are ways, but at a high level, I don't care. I hate how modern package managers have come to value author convenience over downstream user security.
Fair enough.
In the meantime, I'm trying to do my part through occasional random spot inspections when there's an update to a package, and encourage others to do the same for swarm coverage.
Ahh, the classic I don't care. What if other people don't care about your problems? What if both sides don't care about each other? What then?
We wait and see whether the supply chain attacks crescendo to a crisis and force NPM's hand. In the meantime I'm doing everything I can to avoid NPM and to uphold "just don't use the software if you don't like it"... but people like myself don't always have a choice.