Making "safe npm"
JS Party: JavaScript, CSS, Web Development
How to Warn Developers About Dangerous Packages Before They Install Them
We're trying to move the like knowledge forward before you install the dangerous thing, not telling you you already did something dangerous. And we're looking for stuff that doesn't even covered by CVEs because when you have a supply chain attack, it's usually it's some packages compromised and nobody knows it yet. So there's a bunch of things that you might initially think are great to warn developers about, but it makes a tool completely unusable every time you add that speed bump. We've had this feedback period and developers have shown us problems with us over alerting or under alerting. Everybody wants different things, which is interesting to see. You've got to find that default middle ground
Remember Everything You Learn from Podcasts
