I think what could make the npm ecosystem more trustworthy is if there was a system to “verify” packages similar to how twitter verified accounts. Essentially a package like “react-native” would have a symbol indicating that the npm corporation verified it was owned by Facebook. Perhaps the CLI could then also warn you when you install an unverified package.
>If you are publishing a new package—that is, a package that has not been in the registry before—we remove punctuation from its name and compare it to existing package names. If the names are identical without punctuation, we do not allow the package to be created.
Simply checking the name without punctuation seems too simple. What about a similarity check? Hamming distance? Is there something like metaphone for visual similarity between words?
Also good on them for suggesting using namespaces but since that apparently exists and they're admitting that it helps disambiguate packages, why not just make it mandatory?
2 comments
[ 3.9 ms ] story [ 14.1 ms ] threadSimply checking the name without punctuation seems too simple. What about a similarity check? Hamming distance? Is there something like metaphone for visual similarity between words?
Also good on them for suggesting using namespaces but since that apparently exists and they're admitting that it helps disambiguate packages, why not just make it mandatory?