Changelog Master Feed Securing npm is table stakes (Changelog Interviews #674)
10 snips
Jan 29, 2026 Nicholas C. Zakas, longtime JavaScript developer and ESLint creator, weighs in on npm security and registry risks. He criticizes recent platform responses and explores trusted publishing, token tradeoffs, and detection versus prevention. He also examines alternatives like JSR and Volt, explains dangers of install scripts, and discusses why registries struggle financially.
AI Snips
Chapters
Transcript
Episode notes
Repeated Package Compromises Signal Bigger Risk
- npm faced hundreds of compromised packages in short periods, often via stolen credentials and malicious install scripts.
- Nicholas Zakas warns these repeated attacks hint at a larger, more damaging attack looming if things don't change.
ESLint Saw Suspicious PRs And A Past Compromise
- Nicholas describes mysterious dependency-changing pull requests targeting high-download packages like ESLint as penetration tests.
- He recounts a past incident where a maintainer's reused credentials allowed a compromised ESLint release.
Adopt Trusted Publishing But Know Its Limits
- Use trusted publishing (OpenID Connect) to avoid storing long-lived publish tokens and rotate credentials automatically.
- But be aware trusted publishing lacks two-factor protections and can create GitHub lock-in.