How GitHub could secure npm
6 points by greenheart
6 points by greenheart
Why doesn't npm detect compromised packages the way credit card companies detect fraud?
Because there is no regulatory mechanism that requires GitHub to detect package compromises, and GitHub is not liable for losses due to package compromises. Would we even want them to be? ¯\_(ツ)_/¯
Using anomaly detection to identify compromised packages is a good idea and all (if not exactly rocket science) but security analysts... already do this, I would assume? It's not clear to me that GitHub should be the responsible party here tbh.
Seriously - imagine what would happen if you made project hosting providers responsible for the result of some project being compromised? How could any provider host any project that got any significant adoption?