Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce jsr.io to SWAG discussions #4

Open
okikio opened this issue Sep 9, 2024 · 0 comments
Open

Introduce jsr.io to SWAG discussions #4

okikio opened this issue Sep 9, 2024 · 0 comments

Comments

@okikio
Copy link

okikio commented Sep 9, 2024

jsr.io is a new package registry that re-thinks some of the model of package upload and download. It includes support for the specifying which runtimes a package supports, it is backward compatible with npm and simplifies some of the workflow when it comes to uploading of packages.

As a newer registry it might be worth having a discussion with the team about potential security recommendations, especially given since jsr.io automatically applies a score on certain packages.

There is an opportunity here to build on jsr.io's scoring system to include some of the OWASP security practices in that score, it could even be context dependent. As in since jsr.io supports specifying the runtimes supported, thus we could apply web specific security checks to packages which claim to support the browser, etc...

I feel there are some opportunities to improve the security posture of an entire new set of packages on jsr.io.
@okikio okikio changed the title Introduce jsr.io to SWAG discussions as a new Introduce jsr.io to SWAG discussions Sep 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@okikio