re: How do we improve security in the npm ecosystem? VIEW POST


There's lots of fancy stuff you can do as the public repo provider (e.g. Github) or as the maintainer handing the project off, but really at the end of the day, the point of open source projects is that you can examine that open source before you decide to use it.

If you are a developer and just decide to npm install solve-my-problem without looking at what solve-my-problem is, or if you update to a new version without seeing what that new version does, then you're taking all the risks that OSS provides, without taking any of the benefits. You would be no worse off than a closed-source solution.

code of conduct - report abuse