Nicholas Zakas, creator and long-time maintainer of ESLint, says GitHub's response to npm's security problems is not enough. In a post titled 'How GitHub could secure npm,' he lays out concrete alternatives. This episode of the Changelog puts him in front of Adam Stacoviak and Jerod Santo to walk through exactly what those fixes look like.
The more important argument is structural: npm is critical internet infrastructure and it is being neglected. Zakas does not spare the alternatives either. His assessment of JSR, the JavaScript registry backed by Deno, is bleak. The episode earns its runtime by forcing a real accounting of who owns the problem and who has the leverage to fix it.
Read Zakas's original post at humanwhocodes.com before or after listening. The post gives you the specific mechanisms. The episode gives you the frustration behind them, and that context matters if you want to understand why this problem keeps not getting solved.
[READ ORIGINAL →]