Skip to content
Better HN
Top
New
Best
Ask
Show
Jobs
Search
⌘K
undefined | Better HN
0 points
davidpfarrell
6mo ago
0 comments
Share
Wow so couldn't said security co's establish their own registry that we could point to instead and packages would only get updated after they reviewed and approved them?
I mean I'd prolly be okay paying yearly fee for access to such a registry.
0 comments
default
newest
oldest
davidshepherd7
6mo ago
IIUC chainguard is this, but only for python, java, and docker images so far.
https://www.chainguard.dev/libraries
getcrunk
6mo ago
I think it would be a no brainer for npm to offer this but idk why they haven’t
phatfish
6mo ago
Probably because they would expose themselves legally? Not sure what the current situation is exactly, but I assume it's "at your own risk".
j
/
k
navigate · click thread line to collapse
