Nicholas Zakas, creator and long-time maintainer of ESLint, says GitHub's response to npm's security problems is not enough. In a post titled 'How GitHub could secure npm,' he lays out specific, actionable alternatives. This episode of the Changelog is built around that post.
Zakas does not just critique. He proposes concrete mechanisms GitHub could implement, given that it owns npm, to meaningfully reduce supply chain risk. He also calls out JSR, Deno's JavaScript registry, as a weak alternative. The conversation covers why a registry used by millions of developers still operates without the security controls that its scale demands.
The argument worth reading in full is not the conclusion but the middle: how GitHub's existing infrastructure and identity systems could be applied directly to npm, and why they have not been. If you work in JavaScript, ship packages, or care about open source infrastructure, this is the episode.
[READ ORIGINAL →]