Somebody had the same idea as me, a developer identity package
Somebody had the same idea as me, a developer identity package
Self-replies
Just like pypi, npm's identity model is aggressive anonymity.
**You will not trust packages because the package comes from a real world identity! That reason is forbidden!** Only crypto/signature/password chains that show the 2nd package was published by the same entity that controlled the account earlier. Except when repos and accounts change hands or when an account is controlled by 100s of people or a corporation, at which point entity is kind of nebulous.
Package repository profiles show what packages the entity that published with that username/password published. That's it! Don't ask for more! You will be told that it out of scope of thoughts about security! Too hard off a problem! Please sign your packages with short lived tokens and all.