As I understand it, a package author can un-publish their package on npmjs.com, and somebody else can publish a package with the same name. If I create a package depends on a package from npmjs.org, I have little protection against a "bait-and-switch" which could result in unwanted, even malicious code being deployed and run. Other software distribution methods usually involved signing with a private key to protect against this kind of behaviour. Is there something I can do today to protect against this without resorting to have to manually perform an audit every time I download a package from npmjs.org?
-- Job board: http://jobs.nodejs.org/ New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscr...@googlegroups.com. To post to this group, send email to nodejs@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/e60195a2-e615-4ead-a538-02edb44bf0cd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
