Today’s eslint fiasco shows that 2FA can be a powerful tool for stopping unauthorized package publishes. When a package author choose to not use 2FA and gets compromised as a result, the impact don’t just affect the author, it impacts everyone depending on that package. Thus, would it be possible to do either of the following steps?
- Include prominently on the npm website whether a package is published by an author using 2FA and create a repo badge to advertise this.
- Require packages with enough downloads (I’m not familiar enough with the ecosystem to say what an appropriate amount would be) to use 2FA to further publish packages.
These are both pretty heavy handed - particularly the latter - but I think that’s appropriate when an individual’s poor security choices can harm so many developers and their users.