- Add 2 factor authentication for npm publish
- When you npm install, add a warning for all the versions that got published without 2 fac
- pre-install/post-install scripts should require user to accept or refuse. The simple action of running npm install shouldn't run arbitrary code.
- make shrinkwrap by default (and fix all the issues with it) so that running npm install doesn't use different versions when used over time.
- make updating a version an explicit decision via npm upgrade
User A: Publish package X1.0 (with 2 factor auth)
User B: Download with npm package X1.0
User A: Unpublish package.
User C: Publish package X1.0, malware code (with a different 2 factor auth)
User B: Somewhere else, download and install package X1.0
Seems like it's impossible to re-upload X1.0, which fix this issue. I thought once a package was unpublished, it was possible to republish the exact same version.
Of course, this doesn't save you if you're installing `^1.0.0`, the maintainer deletes the package, and someone else uploads a malicous `1.0.1`.
The package.json should allow pinning publisher usernames and optionally public keys, and shrinkwrap should pin hashes, not just versions.