he/him 
GitHub are in such a good position to improve npm package security drastically. Imagine package releases that are verified against git commits. Impossible to sneak code in.
Show this thread
-
GitHub “only” manages the repos and package registries, but the actual builds and package publish is done on other services and are still black boxes (i.e. might alter code/inject malicious stuff before compilation).. or am I missing something?
I predict that GitHub will offer CI services in the future. It makes sense since they now have access to Azure.
-
-
Yes, me too.. but even then it would only work if everything is completely open (build scripts and definitions) and there is no way to circumvent package publishing (ie no direct access to the package feed)
- 1 more reply
New conversation -
-
-
Careful what you wish for. One stop shop monolithic services leave you stuck when other companies move beyond certain components
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.