top | item 45294789 (no title) davidpfarrell | 5 months ago Wow so couldn't said security co's establish their own registry that we could point to instead and packages would only get updated after they reviewed and approved them?I mean I'd prolly be okay paying yearly fee for access to such a registry. discuss order hn newest davidshepherd7|5 months ago IIUC chainguard is this, but only for python, java, and docker images so far. https://www.chainguard.dev/libraries getcrunk|5 months ago I think it would be a no brainer for npm to offer this but idk why they haven’t phatfish|5 months ago Probably because they would expose themselves legally? Not sure what the current situation is exactly, but I assume it's "at your own risk".
davidshepherd7|5 months ago IIUC chainguard is this, but only for python, java, and docker images so far. https://www.chainguard.dev/libraries
getcrunk|5 months ago I think it would be a no brainer for npm to offer this but idk why they haven’t phatfish|5 months ago Probably because they would expose themselves legally? Not sure what the current situation is exactly, but I assume it's "at your own risk".
phatfish|5 months ago Probably because they would expose themselves legally? Not sure what the current situation is exactly, but I assume it's "at your own risk".
davidshepherd7|5 months ago
getcrunk|5 months ago
phatfish|5 months ago