> Spammers just try to find something that ranks high in SEO and costs them nothing, if repository stops being that most will leave.
This is not true. Spammers will continue trying even if you are very good about removing spam packages. Source: worked on a package manager for 5 years.
> Most other package repositories don't have that problem to such degree
They do, you’re just not seeing it because they’re actively removing packages. That said, NPM is the largest package ecosystem and likely receives the most spam.
> Users will do the flagging for that so at least you won't have too many valid packages to verify
The trick is to have detection that’s accurate enough that you feel confident removing packages without human intervention.
Package managers have likely already built lots of tooling to detect potential spam and then bulk remove them. That’s how they manage thousands of spam removals per week in a reasonable amount of time. Nonetheless, human verification is necessary due to the “left pad problem”. This takes time due to the sheer quantity of spam.
This is not true. Spammers will continue trying even if you are very good about removing spam packages. Source: worked on a package manager for 5 years.
> Most other package repositories don't have that problem to such degree
They do, you’re just not seeing it because they’re actively removing packages. That said, NPM is the largest package ecosystem and likely receives the most spam.
> Users will do the flagging for that so at least you won't have too many valid packages to verify
The trick is to have detection that’s accurate enough that you feel confident removing packages without human intervention.
Package managers have likely already built lots of tooling to detect potential spam and then bulk remove them. That’s how they manage thousands of spam removals per week in a reasonable amount of time. Nonetheless, human verification is necessary due to the “left pad problem”. This takes time due to the sheer quantity of spam.