ARTICLE AD BOX
The number of supply chain attacks grows, possibly as the population using classical PCs is skewing more towards people who make software.
There was recently an attack that involved a virus that replicated itself via npm packages - if a package maintainer got infected, their package would get infected. About 180 were affected.
It seems that these attacks will be discovered soon, pretty much every time. So what I would like to do is change my npm configuration or behavior so that it doesn't "see" packages newer than some threshold (ie 2 months) unless I audit them first.
What's the easiest way to accomplish this in a home environment? Corporations typically have their own npm/pip clones, but that feels impractical for a home user.
