top | item 31372783

(no title)

Nice. This blog post is less focused on npm/node than previous ones. Does that imply a broadening of ecosystem support is intended? As I'm sure you're aware, competing companies support more language ecosystems. Hopefully this seed funding will allow for some degree of scope creep.

Were you able to resolve the potential issue with npm's fourth open source condition[1]? The addition of this condition seems to align with their acquisition of ^Lift Security[2] based off of archive.org snapshots of before[3] and after[4]. Shifting away from npm exclusively seems like a reasonable way to hedge against this.

[1] https://docs.npmjs.com/policies/open-source-terms#conditions

[2] https://blog.npmjs.org/post/172793182214/npm-acquires-lift-s...

[3] https://web.archive.org/web/20170926030855/https://docs.npmj...

[4] https://web.archive.org/web/20190207170526/https://www.npmjs...

discuss

feross|3 years ago

Yes, we intend to broaden the language support as soon as we can! This funding will definitely help get us there.

I'm not too worried about the npm condition. My reading of it is that it's intended to prohibit using security data generated by npm itself. When talking about "data about the security of Packages" they give the examples of "vulnerability reports, audit status reports, and supplementary security documentation". We don't use any of that stuff.