You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is not a question related to the package itself but rather to its governance.
We are considering adopting this library as dependency for JSON schema validation in our project and I'd like to clarify one aspect. The repo lists 11 collaborators, however on npmjs.com the package appears to have over 75 collaborators.
Does this mean that all the people listed there have write access to the package and can potentially initiate a supply chain attack?
The text was updated successfully, but these errors were encountered:
Hey @dreamorosi, thanks for raising this valid concern.
We're actually at the beginning of a series of initiatives at Exodus that have OSS as one of the pillars, so your message comes right in time. We have done a bunch of improvements to our release processes internally, which include building and publishing packages only using CI/CD pipelines based on GitHub Actions, and we're planning to roll those out to public packages.
Given that you've shown interest in this package, we will prioritize it. I will provide an update here on Friday, November 10.
If there's anything else in particular that you would like to see, please let us know.
This is not a question related to the package itself but rather to its governance.
We are considering adopting this library as dependency for JSON schema validation in our project and I'd like to clarify one aspect. The repo lists 11 collaborators, however on npmjs.com the package appears to have over 75 collaborators.
Does this mean that all the people listed there have write access to the package and can potentially initiate a supply chain attack?
The text was updated successfully, but these errors were encountered: