To me the only solution is that we need a security in depth approach:
- Create a trusted packages program, and mark trusted packages with a prominent badge. Package authors can apply to join the program, which will involve a review of their package and any subsequent updates. Ensure trusted packages can only depend on other trusted packages.
- Implement a capabilities model for package managers. I hear Deno is better in that respect.
- Have the package manager back-end use AI to continually review the packages. If anything suspicious is found, flag it and investigate manually.
- Create a trusted packages program, and mark trusted packages with a prominent badge. Package authors can apply to join the program, which will involve a review of their package and any subsequent updates. Ensure trusted packages can only depend on other trusted packages.
- Implement a capabilities model for package managers. I hear Deno is better in that respect.
- Have the package manager back-end use AI to continually review the packages. If anything suspicious is found, flag it and investigate manually.
- Require all packages to be name-spaced