> Could we not move to a strategy where authors have to cryptographically sign packages with their own package-specific private key when publishing them?
I'm sorry the NPM ecosystem doesn't do this already? Good god!
In NPM's minor defence, I don't know of any contemporary registry that does.
If I had to guess, the registry operator probably either sees this as friction to onboarding, or if they do support signatures, they'd probably rather sign it themselves.
These are both stupid. The author should be responsible for signing, the registry should never see the key, and the registry should require 2FA to log in and set the public key for a package for users to discover.
I'm sorry the NPM ecosystem doesn't do this already? Good god!