dear package registries (npm, composer, etc), i am begging you

dear package registries (npm, composer, etc), i am begging you

require 2FA before someone can tag a release RIGHT NOW

this would immediately stop a huge amount of the open source supply chain attacks we keep seeing

moat checks the things that are easy to miss 2FA, branch protection, signed commits, secret scanning, Dependabot, workflow permissions, pinned actions, webhooks, and more

available now: https://github.com/laravel/moat

introducing laravel moat

as an open source maintainer, recent supply chain attacks in the ecosystem made me want a simple cli to audit the security of my GitHub organizations and repositories

built in Rust. for any open source project on GitHub

i think twitter is probably where i get the least engagement right now.. which is funny because it's the one i enjoy the most.. i'm grateful for any traction anywhere, but youtube, tiktok, instagram, and even linkedin seem to do a lot better for me