Several vulnerabilities have been injected into open source software and released, causing massive harm and damage to the open source community. Just a few recent examples include:

• https://github.com/veged/coa/issues/99
• https://github.com/dominictarr/rc/issues/131
• https://github.com/faisalman/ua-parser-js/issues/536

Many of these vulnerabilities may be preventable if package repository managers (like npmjs.org) scanned packages for vulnerabilities prior to publishing the version. This would significantly enhance Internet security for everyone. We ask NPM to address the following security enhancements:

• Enforce 2-Factor Authentication for package Authors and publishing
• Automatically scan packages for vulnerabilities before being released to the general public

Additional security measures that can be implemented:

• Require GPG signing of packages in order to publish to the general public
• Automatically identify anomalous behavior (such as publishing of package suddenly after years of being stale, publishing from IP address that hasn't been seen before, publishing many versions within a short timeframe)