question about project & publishing governance

[dreamorosi]

This is not a question related to the package itself but rather to its governance.

We are considering adopting this library as dependency for JSON schema validation in our project and I'd like to clarify one aspect. The repo lists 11 collaborators, however on npmjs.com the package appears to have over 75 collaborators.

Does this mean that all the people listed there have write access to the package and can potentially initiate a supply chain attack?

[olistic]

Hey @dreamorosi, thanks for raising this valid concern.

We're actually at the beginning of a series of initiatives at Exodus that have OSS as one of the pillars, so your message comes right in time. We have done a bunch of improvements to our release processes internally, which include building and publishing packages only using CI/CD pipelines based on GitHub Actions, and we're planning to roll those out to public packages.

Given that you've shown interest in this package, we will prioritize it. I will provide an update here on Friday, November 10.

If there's anything else in particular that you would like to see, please let us know.

[olistic]

Given that you've shown interest in this package, we will prioritize it. I will provide an update here on Friday, November 10.

As promised, here's the plan we've arrived to:

1. Automatic releases with commits to master via semantic-release (started moving in this direction in ci: automatic releases #166)
2. Only allow GitHub machine user to publish to npm via GitHub action, removing remaining write permissions except for designated lead maintainers (TBD)

I'll close this issue now, but feel free to reopen if there's anything else related you want to discuss.