Big red scary banner if an npm publish security downgrade is detected #534
Description
Scenario:
Package foo@1.0.0 was released from GitHub Actions with an OIDC token.
foo@1.0.1 gets released and it's a release done manually from the user's computer.
Idea:
Big red scary banner that says something along the lines of:
🚨 SECURITY DOWNGRADE DETECTED
This package was previously released using a stronger, more secure publishing method. The latest version was released using a weaker or less trusted method.
Unexpected security downgrades are a common indicator of supply-chain compromise. Do not trust this release until the change in publishing security is fully understood and verified.
Idea 2: in this case, replace the install command to copy with npm install foo@1.0.0 where 1.0.0 is the latest release published in a trusted way, so that even if someone ignores the message, they still end up installing the trusted version. They would need to put an effort to install the potentially compromised one.