Nicholas Zakas

Yeah, yeah.

Interesting.

I think potentially an easier solution, which is a little bit heavy handed, is you could just say, okay, all packages that have pre and post install scripts right now, you can keep doing it.

Anybody else?

You don't get to do it.

We're basically cutting that off now and saying that we're grandfathering in all those old packages so they will continue to work.

But new packages, sorry, you're out of luck.

We're just not going to do it for you.

You need to figure out a different way to distribute stuff.

Yeah.

Yeah, just go ahead and write your own shell script.

Or here's the shell script, download it, and you need to run this, and then after that, it's fine.

Yeah.

But again, I feel like there are some lightweight solutions that could be done instead of putting more responsibility on maintainers every time there's an attack.

Yeah, so Volt, as far as I know, was not in the business of providing a registry.

It was more around tooling around NPM.

Yeah.

Basically, new client does fancier stuff, more secure, et cetera.

I haven't seen anything notable come out of that.

In fact, I'm starting to think this might be me.