This pull request proposes to change recommendations around publishing NPM packages to always recommend the use of the 18F organization for scoping, as a way to...
The last of these points has already happened within TTS: for a time, a malicious package uswds-gulp existed, purporting itself as the uswds/uswds-gulp toolchain. Scoped packages help to avoid these sorts of attacks, because only members of the organization are allowed to publish packages using the scope.
I had raised this as a discussion point in Slack some time ago, but only today realized we have guidance around it.
Reading the previous guidance, I do see some merit to the idea that packages with no necessary association with 18F needn't be scoped as such, though personally I see the advantages of scoping outweighing this. I'm very open to other viewpoints, however!
This pull request proposes to change recommendations around publishing NPM packages to always recommend the use of the 18F organization for scoping, as a way to...
The last of these points has already happened within TTS: for a time, a malicious package
uswds-gulp
existed, purporting itself as theuswds/uswds-gulp
toolchain. Scoped packages help to avoid these sorts of attacks, because only members of the organization are allowed to publish packages using the scope.I had raised this as a discussion point in Slack some time ago, but only today realized we have guidance around it.
Reading the previous guidance, I do see some merit to the idea that packages with no necessary association with 18F needn't be scoped as such, though personally I see the advantages of scoping outweighing this. I'm very open to other viewpoints, however!