undefined | Better HN

0 pointsdavidpfarrell9mo ago0 comments

Wow so couldn't said security co's establish their own registry that we could point to instead and packages would only get updated after they reviewed and approved them?

I mean I'd prolly be okay paying yearly fee for access to such a registry.

0 comments

3 comments · 2 top-level

getcrunk9mo ago· 1 in thread

I think it would be a no brainer for npm to offer this but idk why they haven’t

phatfish9mo ago

Probably because they would expose themselves legally? Not sure what the current situation is exactly, but I assume it's "at your own risk".

davidshepherd79mo ago

IIUC chainguard is this, but only for python, java, and docker images so far. https://www.chainguard.dev/libraries

j / k navigate · click thread line to collapse