Taxonomy of Package Repositories:

• Has user accounts: Yes (like PyPI), No (e.g. {index, proxy, sum}.golang.org).
• Accepts built packages, builds on behalf of users, or only hosts source code: Examples include npm, Homebrew, and {index, proxy, sum}.golang.org.

Security Capabilities of Package Repositories:

• Authentication:

  • Level 1: Require email verification, document account recovery policy, support strong MFA (TOTP), notify maintainers of critical account changes, and implement brute force prevention.
  • Level 2: Detect abandoned email domains, support phishing-resistant MFA (WebAuthn), require MFA for critical packages, integrate with leaked credential databases.
  • Level 3: Support passwordless authentication (passkeys), require MFA for all maintainers, and require phishing-resistant MFA for critical packages.

• General Capabilities:

  • Level 1: Publish a vulnerability disclosure policy and take steps to prevent typosquatting.
  • Level 2: Have an unpublish policy, allow users to report suspicious packages, detect malware, and warn of known security vulnerabilities in dependencies.
  • Level 3: Undergo periodic security reviews, publish an event transparency log, and publish malicious package advisories in a standardized format.

• CLI Tooling:

  • Level 1: Allow installing pinned dependencies.
  • Level 2: Warn of known security vulnerabilities when installing packages.
  • Level 3: Have functionality to produce SBOMs, automatically remediate vulnerabilities, and use static analysis to reduce false positives.