Nicholas Zakas

Because for most people that will not be installed automatically as like the minor and the patch versions are.

So if you just said like, oh, hell, hold on for this, like one dot X branch of this package, you never had a post install script before.

and now you do, sorry, you've got to bump that to 2.0.0 before we're going to publish it for you.

And I think that that alone would slow down attackers tremendously because people will just not automatically be downloading those packages anymore.

And hopefully...

Someone, like maybe it's Socket or maybe it's NPM themselves, will then have the time to identify that as malicious and get it pulled down before it is downloaded millions of times.

Yeah, I like that idea a lot.

I think that.

For too long, we've just been saying like, oh, you know, they go and add a post and sell script and gosh, like that's terrible.

But yeah.

But there are all kinds of things that I think can be done with these packages to just make sure that they're safe.

And yeah, I love that idea of just providing extra scrutiny to those.

I mean, it could be the case that like...

You even need a waiting period if you're changing or adding post-install scripts.

And this is the thing that I found a bit frustrating is I feel like

there are some low-hanging fruit options that are out there that would actually not be very resource-intensive to implement on NPM, which is why my suggestion of just requiring a major version bump was one of the things that I put out there.

I don't think it's super complicated to implement, but let's just start doing something

during the publish process instead of just relying on people discovering it after something has been published and then downloaded a bunch of times.

I think that the resources for that would probably be fairly high and probably more than it could get in the short term.

Gotcha.