Staged publishing and new install-time controls for npm
57 points by brianmcnulty
by supriyo-biswas
0 subcomment
Is any form of code analysis out of the question? Static and dynamic analysis of the code would seem like a promising idea rather than just trying to defer the update and hence the problem.
by weinzierl
1 subcomments
Seen favorably, staged publishing is a band aid. Seen more realistically I believe that in the long run it will even hurt our efforts for more secure infra.
by koinedad
1 subcomments
Nice…maybe will help some of the recent attacks
by madarco
2 subcomments
meanwhile pnpm 10.x by default won't donwload packages younger than a day
by warmwaffles
0 subcomment
Perfect, now we'll start seeing people automate auto publishing because they don't want to explicitly push a button to publish it.
Hacker News