Description
jsr.io is a new package registry that re-thinks some of the model of package upload and download. It includes support for the specifying which runtimes a package supports, it is backward compatible with npm and simplifies some of the workflow when it comes to uploading of packages.
As a newer registry it might be worth having a discussion with the team about potential security recommendations, especially given since jsr.io automatically applies a score on certain packages.
There is an opportunity here to build on jsr.io's scoring system to include some of the OWASP security practices in that score, it could even be context dependent. As in since jsr.io supports specifying the runtimes supported, thus we could apply web specific security checks to packages which claim to support the browser, etc...
I feel there are some opportunities to improve the security posture of an entire new set of packages on jsr.io.
Activity