Is GitHub Package Registry the npm killer?

Dan Dascalescu

NPM has a mind-boggling, to me, security flaw: what you install from NPM is not necessarily the package you see on GitHub!

Someone can publish a totally clean database driver package on GitHub, then change a few lines in one file to phone home all connection strings, then publish that on NPM. The vast majority of people don’t audit, and those who look through the code on GitHub won’t see anything suspicious.

This has happened multiple times on NPM, and even though NPM isn’t the only package system vulnerable to these attacks, it’s the most popular and hence, most targeted.

If the GitHub registry guaranteed that a package is compiled from the source you see on GitHub, e.g. via a GitHub Action that’s also publicly auditable, then we solve this problem.

With npm being bought by GitHub, this will hopefully happen at some point.