>They should first get package signatures implemented, it's a bigger threat to the npm community
Considering that signature checking would not have prevented this attack that has actually happened, I would say that not having signed packages is not in-fact the bigger threat.
Or can you point us to a prior example of a successful attack that could have been thwarted with proper signature checking?
Considering that signature checking would not have prevented this attack that has actually happened, I would say that not having signed packages is not in-fact the bigger threat.
Or can you point us to a prior example of a successful attack that could have been thwarted with proper signature checking?