Thank you a lot for this great article. As well for the tool.

I guess for better security two things can be great

- have a well designed sandboxed environment for scripts (at package manager level) [ something i doubt would happen ]

- Whole shift ...

- Security code analyzers, that try to check scripts ... on publish. Flagging anything that is suspicious. I wonder if security tools and ai based tools if are good at detecting such.a thing. Such an armor. Would assure more security for any published package. Such packages can still be published. But not automatically installed. People can review for themselves. Also, moderators can analyze them.

- If the dependency tree is huge. And a lot of scripts to run. Reviewing all specially the packages that you trust. Is kind of too much.

- What we can do. Is build tools that first install using

`npm install --ignore-scripts`

And then use security analyzers. and scan all packages with scripts in them.

- We can make an extra step. And scan the changes made between old package version and new one

(Scripts does run things, also packages if installed and running through the system. A compromised package will still run malicous code regardless of if we will or not run those scripts. Or well not necessarly if permissions are limited for an app. Still it's complex. The same can be done to protect against the scripts issue)

- in general i wonder if npm registry does apply Security code analyzis. That would make a big difference in security

- If they don't we can have our own tools to run such security checks. We can add more flagging rules. Including running checks and rules on diffs.

- if previous version is secure. What about the diff

- And last thing. I guess to secure the system extra. Restricting the permission of npm process and of the whole system.

- i wonder about how to setup such security measure

- security always comes with inconvenience