One can hope that with GitHub supporting signed commits and signed tags that now that they’ve acquired npm there’ll be a way to match up a signed release with an npm release.
Signed releases on npm in general would be a start as then we could at least increase the reliability of security vulnerability notifications.
That being said, as pointed out in another comment, the amount of false positives for instance for regex vulnerabilities in libraries that are only used in the devDependencies of a repository are too high.
Signed releases on npm in general would be a start as then we could at least increase the reliability of security vulnerability notifications.
That being said, as pointed out in another comment, the amount of false positives for instance for regex vulnerabilities in libraries that are only used in the devDependencies of a repository are too high.