Could we not move to a strategy where authors have to cryptographically sign packages with their own package-specific private key when publishing them?
You then have to manually add the public key for a given package to your package.json so it can verify a tarball came from the author/source you expect.
This won't solve problems where the author is malicious, but it helps other cases.
> Could we not move to a strategy where authors have to cryptographically sign packages with their own package-specific private key when publishing them?
I'm sorry the NPM ecosystem doesn't do this already? Good god!
In NPM's minor defence, I don't know of any contemporary registry that does.
If I had to guess, the registry operator probably either sees this as friction to onboarding, or if they do support signatures, they'd probably rather sign it themselves.
These are both stupid. The author should be responsible for signing, the registry should never see the key, and the registry should require 2FA to log in and set the public key for a package for users to discover.
You then have to manually add the public key for a given package to your package.json so it can verify a tarball came from the author/source you expect.
This won't solve problems where the author is malicious, but it helps other cases.