upvote

points

by btown3 hours ago |
comments
upvoteby insanitybit3 hours ago|
[-]
You realize that "dependency cooldowns" as a popular concept are extremely new, right? npm manages the installation of dependencies for millions upon millions of users across the globe.

> It could add a Hardened Security program where (1) package maintainers could opt into a program where multi-factor confirmation by maintainers is required on every publish, even those triggered by CI;

Great, they did this.

> And so much more.

This shit takes time. Yes, they should have done this on day 1. Acting like any of this is easy to retrofit is just nuts though.

reply
upvoteby j1elo2 hours ago|
parent|
[-]
What is being said is that a new flag like '--minimum-release-age' would take, realistically speaking, tops 4 hours to implement (without AI assistance), plus a good 1 week of thorough testing, and maybe a 1 month period of progressive deployment. Come on, let's give it a total of 1.5 months, for good measure.

Of course this should have been started since the beginning of the major recent stream of supply chain attacks, circa 2024 or 2025... but even assuming the most backwards calendaring possible -starting after the last bug compromise (Axios, on March 31st)- that new flag should have already been shipped a couple weeks ago.

Shit does take time, but where there's a will there's a way, and nobody buys that this shit would take that much time.

reply
upvoteby insanitybit1 hours ago|
parent|
[-]
Have you ever managed software as critical and ubiquitous as npm?
reply
upvoteby j1elo48 minutes ago|
parent|
[-]
Not infra, but final product. I know, corporations move slow. But when there is a critical issue, and an actual desire to solve it from someone in a suit, suddenly turns out that the cogs were always able to speed up and move fast...
reply