Your code. Your packages. One login. Watch the GitHub Package Registry’s surprise launch event with GitHub CEO Nat Friedman and lead developer, Phani Raj. Sign up for the beta here: github.co/ytgpr
Did he publish changes without committing them first? Wouldn’t you be able to then publish malicious code while the Github ui shows you the version without the malicious code you published? Sort-off feels like having false sense of security
Vjacheslav Trushkin I realize that, but I was under the impression they said versions could be tracked back to specific commits and that you could trust repositories by looking at the code committed (hence my point of a false sense of security)
I wonder if this is in part because of vulnerabilities like the npm event-stream hack. Seeing the code for the package I install directly might help that security breaches will be detected faster.
Important but orthogonal. You can unzip and look at the code from any npm package very easily. It’s just a tarball. You will also have do the same when downloading from the GitHub npm registry because the source in the repo isn’t what the final package will contain due to the build step in between.
You looked at one module to see if it’s trusted when the average app pulls in over 100. Is there any way to identify what modules from github have what security flaws? Developers are going to code review all of those and understand them? Without verifiable security, npm solutions in github are useless to me.
@@TheHermitHacker They smell like Facebook and Apple. They just want customers and they only want their money. they dont care about quality or innovation unless they get attention for it.