npm already has "npm audit fix" to review known vulnerabilities but the point being in the blog is it's too easy to inject malicious code and I hope GitHub (MS) buying npm would make the situation better.
Perhaps if you can easily flag a package as vulnerable from npm command would make people get alerted quickly?
npm audit flag [package name]
And just show how many percent of the downloaded people have flagged it when you try to install it.
You can easily see if it's a false positive by checking GitHub issues by seeing if people are talking about any vulnerabilities.
Perhaps if you can easily flag a package as vulnerable from npm command would make people get alerted quickly?
npm audit flag [package name]
And just show how many percent of the downloaded people have flagged it when you try to install it.
You can easily see if it's a false positive by checking GitHub issues by seeing if people are talking about any vulnerabilities.