5/22/2026 at 7:49:57 PM
by brianmcnulty
5/23/2026 at 8:07:44 AM
Is any form of code analysis out of the question? Static and dynamic analysis of the code would seem like a promising idea rather than just trying to defer the update and hence the problem.by supriyo-biswas
5/24/2026 at 12:52:04 AM
[dead]by sieabahlpark
5/23/2026 at 7:33:45 AM
Seen favorably, staged publishing is a band aid. Seen more realistically I believe that in the long run it will even hurt our efforts for more secure infra.by weinzierl
5/23/2026 at 8:02:40 AM
How could it possibly hurt?For trusted publishing, it's not a band-aid, it's a significant improvement that kills an entire class of CI takeover publish attacks. I'm sure attackers will find another way but it's a big gap this is closing up.
by buildfocus
5/23/2026 at 2:27:38 AM
Nice…maybe will help some of the recent attacksby koinedad
5/23/2026 at 3:40:35 AM
If maintainers actually use itby turkeyboi
5/23/2026 at 3:56:17 AM
This is the biggest question I also had after reading the blog post. Given the recent chain of attacks, wouldn't it make sense to enforce staged publish by default or at least gradually move over to it?by Klaster_1
5/24/2026 at 12:52:40 AM
[dead]by sieabahlpark
5/23/2026 at 8:12:52 AM
meanwhile pnpm 10.x by default won't donwload packages younger than a dayby madarco
5/23/2026 at 8:25:06 AM
Is one day enough to find vulnerabilities? Who keeps an eye on new releases? Otherwise the problem continues to exist, just delayed by one day.by stabbles
5/23/2026 at 8:43:29 AM
There’s almost a dozen cybersecurity companies scanning NPM publishes in real-time and analysing them.by captn3m0
5/23/2026 at 9:13:42 AM
*11.xby jamietanna
5/23/2026 at 3:51:12 PM
Perfect, now we'll start seeing people automate auto publishing because they don't want to explicitly push a button to publish it.by warmwaffles
5/23/2026 at 8:10:25 AM
[dead]by bob1029
5/23/2026 at 5:36:10 AM
[dead]by eff-nix
5/23/2026 at 7:45:42 AM
[dead]by NicoHartmann