alt Hacker News> where it can be reviewed
> Critically, there must be time for someone to review
By who? No one at npm is reviewing anything. "Someone" is doing a lot of work here.
Linux distributions have trusted maintainers who are responsible for their packages. People who cared enough to figure out PGP and set up an actual web of trust. That's where the verification happens. All these programming language package managers have nothing of the sort. PyPI, Rubygems, crates, npm, it doesn't matter. I can just make an account and push whatever I want.
These package managers are like this because that's what developers actually want. They don't want to deal with Linux distribution maintainers in order to get their software into the official repositories. They want to just run $packager push and have it out there with zero friction.
Replies
Indeed, my sentiment also, which I posted elsewhere:
As discussed elsewhere in this forum, these exploits are being found by security companies in the first few days after they're published, that's just already too late. For example, the auditor who made the very post that we're discussing! For another, many security-focused AI companies have automated checks on NPM packages. Many people are implementing it on their end by having their client wait seven days before pulling new packages, but that's O(N) rather than O(1), and it's not evenly spread.
If no one reviews it and it still gets out, then we can address it then, but that seems much less likely.
Ideally, the solution is that all of these language package managers need to get serious and have maintainers, but lacking that, at least having the waiting period be built into the server instead of the client is a clear win.