undefined | Better HN

0 pointsjessaustin10y ago0 comments

What a great link: topical and well-reasoned! The concluding sentence is interesting: "My biggest hope is that we’ll get a solution where the end user has the relationship with the source of trust and not the package author." If one runs one's own npm registry and audits everything that goes into it, one can have that already with npm.

0 comments

semi-extrinsic10y ago

Yes, that closing remark is very interesting. It would essentially be formalising what we somehow do manually/instinctively today: "Installing numpy/react/etc.? Yes, everyone I know trusts that, so I do too." "Installing random small non-popular package? I better have a bit of a look at the code first."

j / k navigate · click thread line to collapse

0 pointsjessaustin10y ago0 comments

0 comments

semi-extrinsic10y ago

j / k navigate · click thread line to collapse