top | item 32027237

(no title)

You know which modules I'm not using for my critical projects? Ones whose maintainers refuse to enable 2fa. We already know how supply chain security problems have plagued npm and pypi. Dependabot should alert you when your dependency comes from a package maintainer that doesn't use 2fa.

discuss

Wowfunhappy|3 years ago

That's entirely reasonable. However, it is also reasonable for the author, who is working for free, to ignore your concerns.

eternityforest|3 years ago

I think it's completely insane to not use 2FA when available... but I also support the freedom to not maintain a piece of software unpaid. One person projects are pretty miserable.