Consider rejecting packages using repository link that is already verified to another user

Question

Consider rejecting packages using repository link that is already verified to another user

Opened this issue 2 months ago · 5 comments

jonasfj commented 2 months ago

Answer 1 · 2024-07-17T16:47:30.000Z

to stop people from forking without updating the git repository

Answer 2 · 2024-08-02T09:45:44.000Z

Could this be used to lock people out from publishing using their repo, by repo-squatting them?

Answer 3 · 2024-08-02T10:05:48.000Z

Could this be used to lock people out from publishing using their repo, by repo-squatting them?

Assuming that the already published package needs to have a verified repository to block further packages (which is a strict check for cross-referencing both the package name and the repository location), this is not affected by repo-squatting.

Answer 4 · 2024-08-15T08:31:01.000Z

Assuming that the already published package needs to have a verified repository to block further packages (which is a strict check for cross-referencing both the package name and the repository location), this is not affected by repo-squatting.

Ah I didn't get the part that it has to be verified. Updating title to clarify

Answer 5 · 2024-08-15T08:32:52.000Z

Could this give conflicts for monorepos that are shared between multiple users?

How do we define "another user"? Does the new package has to have exactly the same set of uploaders, or just an overlapping set?