The problem is nobody checks.
All the axios releases had attestations except for the compromised one. npm installed it anyway.
The problem is nobody checks.
All the axios releases had attestations except for the compromised one. npm installed it anyway.
Yes, that's why I aim to make the checks transparant to the user. You only need to provide the download url for the authentication to take place. I really need to record a small demo of it.