Maybe give publishers a way to quarantine versions with a warning that stops the install, but allows users can override if they choose to is the next step?
replyGive a publisher a way to tag a version as malicious and then in those hours between the exploit being noticed and the package being removed anyone who tries to install gets a message about that version being quarantined and asking whether they want to proceed.
It's not a perfect solution, but I think it's better than just waiting for NPM to take action without opening the door up to another left pad situation.
I think cargo's yank is a good balance. It makes it difficult to pull the yanked version in as a dependency, but doesn't break existing usages, as long as the version is in the lockfile. And I think even then gives you a warning that you are using a yanked package.
replyThe obvious solution is that unpublish should be available within a time window after a new version is published and then unavailable after that.
replyThere is a time window - https://docs.npmjs.com/policies/unpublish
replyYes but they didn't do it properly. They only allow unpublishing if there are no dependants, which means it can't be used to pull a package version for security reasons.
replyIt should be that within the first X hours you can pull a version regardless of dependants, after that you should need approval.
I mean they brought that incident on themselves...
reply