Post AyKb2ow4IqSwbnEFgO by danielsiepmann@friendica.daniel-siepmann.de
 (DIR) More posts by danielsiepmann@friendica.daniel-siepmann.de
 (DIR) Post #AyG83p04TuQzRvATh2 by pixel@desu.social
       2025-09-16T09:14:11Z
       
       0 likes, 0 repeats
       
       I wonder if we get a response from NPM on all the package compromises at some point + what their idea is to mitigate those.
       
 (DIR) Post #AyGJLtBUlJTB8QKTU8 by MarcusSchwemer@muenchen.social
       2025-09-16T11:20:39Z
       
       0 likes, 0 repeats
       
       @pixel Is it really a npm issue? If package maintainers do not pay enough attention to their dependencies, this could happen with composer and other dependency managers also. IMHO
       
 (DIR) Post #AyGTDxJ2YLXh8viKkS by pixel@desu.social
       2025-09-16T13:11:20Z
       
       0 likes, 0 repeats
       
       @MarcusSchwemer the thing is: if it happens this often, the service provider should step in with mitigations as well.Just "it's the maintainers fault" doesn't work if millions of users (and systems) are at stake.Adding a third factor, like signatures etc. is probably what's next.
       
 (DIR) Post #AyKb2ow4IqSwbnEFgO by danielsiepmann@friendica.daniel-siepmann.de
       2025-09-18T04:53:46Z
       
       0 likes, 0 repeats
       
       @MarcusSchwemer and @pixel you might be interested in drewdevault.com/2025/09/17/202…
       
 (DIR) Post #AyKb2qClaFPuXs36Lg by pixel@desu.social
       2025-09-18T12:57:40Z
       
       0 likes, 0 repeats
       
       @danielsiepmann @MarcusSchwemer fun fact, release/artifact attestation already is a thing, just not enforced.https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations