parksy

Beyond the usual DIY security practices when dealing with NPM I wonder if there's viability in a service offering access to pre-audited repos like NPM, basically just a curated proxy with a process around certifying the security of packages and updates into the repo, including code reviews, dependency checking and various tests performed by security engineers.

I feel that the benefits in outsourcing some of that risk management could be a service worth paying for, at least for commercial purposes. It might lag behind and given the number of NPM packages most likely wouldn't offer the full range of packages, but I could see it bringing peace of mind for like the 90% of use-cases.

At the moment it would appear every NPM user is responsible for their own security, and the barrier of entry to the NPM repository is low which is fine and in keeping with the general principles of open source and distributed development, but on the flipside wouldn't it be more efficient to centralise the security auditing and management effort somewhere?

I don't know, just thinking out loud, perhaps there's good reasons why this hasn't happened.

karlding
There are projects like crev [0] which attempt to get around this by using a web of trust to audit dependencies. Rust has cargo-crev [1] as an implementation.

Here's the previous HN discussion [2].

[0] https://github.com/crev-dev/crev/

[1] https://github.com/crev-dev/cargo-crev

[2] https://news.ycombinator.com/item?id=18824923