Very interesting read, very impressive. With GitHub’s new feature of custom repository properties it can be so easy to implement a confirmation mechanism between a repository and an npm package, but I guess it could have implemented with other means long time ago.
Thanks! Lots of tooling out there, but not much uptake. I mean, npm itself has better, more secure alternatives, but is still the most popular registry on the planet. Like, wtf?!
