If everyone is going to wait 3 days before installing the latest version of a compromised package, it will take more than 3 days to detect an incident.
anematode•14m ago
A lot of people will still use npm, so they'll be the canaries in the coal mine :)
More seriously, automated scanners seem to do a good job already of finding malicious packages. It's a wonder that npm themselves haven't already deployed an automated countermeasure.
omnicognate•8m ago
Should have included the units in the name or required a choice of unit to be selected as part of the value. Sorry, just a bugbear of mine.
postepowanieadm•29m ago
anematode•14m ago
More seriously, automated scanners seem to do a good job already of finding malicious packages. It's a wonder that npm themselves haven't already deployed an automated countermeasure.