Hacker News new | comments | show | ask | jobs | submit login

When a package transfers ownership or is removed/re-added, it's not possible to republish the same version as one that has previously existed.

Of course, this doesn't save you if you're installing `^1.0.0`, the maintainer deletes the package, and someone else uploads a malicous `1.0.1`.

The package.json should allow pinning publisher usernames and optionally public keys, and shrinkwrap should pin hashes, not just versions.




I edited my post while you were writing yours ;-) Thanks for the clarification.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: