node-ipc icon indicating copy to clipboard operation
node-ipc copied to clipboard
verified publisher icon achrinza

Automated scanning of dependency tree for blocklisted maintainers

Open achrinza opened this issue 3 years ago • 2 comments

At the time of writing, all deprecation of @achrinza/node-ipc were due to transient dependencies managed by @/riaevangelist. This is due to the difficulty of checking each dependency manually for their maintainers.

This issue is to track finding/creating a solution which can scan the dependency tree, retrieve their maintainers from the registry, and compare it to a blocklist.

achrinza avatar Mar 25 '22 13:03 achrinza

We may have a potential solution, though it is missing a critical feature (Filtering by transient dependencies).

I've opened an issue: https://github.com/prantlf/find-npm-by-author/issues/1

Another problem is that, for library authors, it cannot cater for every permutation of the dependency tree. This pretty much pushes back to the same issue of https://github.com/loopbackio/security/issues/19.

achrinza avatar Mar 25 '22 14:03 achrinza

This seems like a poor decision.

RIAEvangelist avatar Mar 20 '23 14:03 RIAEvangelist