feedback VS guarddog

no-one-left-behind[1] was not even a year ago, and yet the link on npm[2] explaining why it was removed is already broken. Classic JS ecosystem.

1: https://github.com/npm/feedback/discussions/858

2: https://www.npmjs.com/package/no-one-left-behind

I created a new discussion in the npm/feedback repo to share my idea. I also mentioned my idea in relevant discussions: npm scores, Weird search behavior with stats, and Improve search functionality on npmjs.com.

We encourage you to open a discussion if you have suggestions for how we can improve npm. You don't need to have a solution to the problem you are facing to kick off a discussion. We are hoping to foster productive and collaborative conversations, so please check out how to give good feedback if you want some guidance on how to kick off a successful discussion.

There is an ongoing discussion about 2FA and possible bandaids for this sort of problem in the npm community forum: https://github.com/npm/feedback/discussions/588

See - https://github.com/npm/feedback/discussions/191

Now there have been some discussions around to mitigate these things which might have gone side ways like https://npm.community/t/blacklist-entire-packages/9659/4 and https://github.com/npm/feedback/discussions/272. Of course there might be tools which you can use, such as running a commercial npm registry in proxy mode with blacklisting support. But what are the basic features you have as a developer that can be use to mitigate these things ?

This is likely the issue as npm 7 auto installs peer dependencies, which will fail on conflicting dependents.

Yes. https://securitylabs.datadoghq.com/articles/guarddog-identif....

GuardDog is a CLI tool that allows to identify malicious PyPI packages.

I've been very cautious the last couple of years due to these bad actors when looking at packages that might suit my needs. If there is no online presence of the source code (git anything, zips/gzs, etc), multiple packages submitted in a short time frame, or a greater than normal amount, an/or a derivation/plugin of a popular package it's usually a no-go.

For those that I do possibly trust, I then download the package (pip download) and review it. Doing a quick regex for URLs or exec() calls helps, but I probably should use something like guarddog (https://github.com/DataDog/guarddog)

I woul not use a freeVPN service, honestly. Anyway, you could try to check the code or help with some stuff like this: https://securitylabs.datadoghq.com/articles/guarddog-identify-malicious-pypi-packages/ .