Securing npm is table stakes (Interview)

As the creator and long-time maintainer of ESLint, Nicholas Zakas is well-positioned to criticize GitHub’s recent response to npm’s insecurity. He found the response insufficient, and has other ideas on how GitHub could secure npm better. On this episode, Nicholas details these ideas, paints a bleak picture of npm alternatives like JSR, and shares our frustration that such a critical piece of internet infrastructure feels neglected. Join the discussionChangelog++ members save 6 minutes on this episode because they made the ads disappear. Joi...

As the creator and long-time maintainer of ESLint, Nicholas Zakas is well-positioned to criticize GitHub’s recent response to npm’s insecurity. He found the response insufficient, and has other ideas on how GitHub could secure npm better. On this episode, Nicholas details these ideas, paints a bleak picture of npm alternatives like JSR, and shares our frustration that such a critical piece of internet infrastructure feels neglected.

Join the discussion

Changelog++ members save 6 minutes on this episode because they made the ads disappear. Join today!

Sponsors:

• Namespace – Speed up your development and testing workflows using your existing tools. (Much) faster GitHub actions, Docker builds, and more. At an unbeatable price.
• Tiger Data – Postgres for Developers, devices, and agents The data platform trusted by hundreds of thousands from IoT to Web3 to AI and more.
• Squarespace – A website makes it real! Use code CHANGELOG to save 10% on your first website purchase.

Featuring:

• Nicholas C. Zakas – Website, GitHub, LinkedIn, Bluesky, Mastodon, X
• Adam Stacoviak – Website, GitHub, LinkedIn, Mastodon, X
• Jerod Santo – Website, GitHub, LinkedIn, Mastodon, X

Show Notes:

• How GitHub could secure npm
• JSR: the javascript registry
• vlt /vōlt/

Something missing or broken? PRs welcome!