Nicholas Zakas, creator and long-time maintainer of ESLint, says GitHub's response to npm's security problems is not enough. In a post titled 'How GitHub could secure npm,' he lays out concrete alternatives GitHub has not taken. This is the person who has watched JavaScript tooling infrastructure decay from the inside.
The conversation goes beyond the blog post. Zakas walks through why JSR, the most-cited npm alternative, is not the answer he would reach for. The argument is specific and worth hearing before you bet your supply chain on it.
The real thread running through this episode: npm is critical internet infrastructure and it is being treated like a side project. If you ship JavaScript, that is your problem too. Read the show notes, then go find Zakas's blog post directly.
[READ ORIGINAL →]