9 comments

[ 0.18 ms ] story [ 28.5 ms ] thread
Nice…maybe will help some of the recent attacks
Seen favorably, staged publishing is a band aid. Seen more realistically I believe that in the long run it will even hurt our efforts for more secure infra.
Is any form of code analysis out of the question? Static and dynamic analysis of the code would seem like a promising idea rather than just trying to defer the update and hence the problem.
meanwhile pnpm 10.x by default won't donwload packages younger than a day
Perfect, now we'll start seeing people automate auto publishing because they don't want to explicitly push a button to publish it.