I find this concerning in the context of the tendency for packages to promote the use of npx commands, where npx will just find and run the missing package name, so a typo means you have now just run different code than that what you intend in one command.
Does the npm Security Policy discussed at <a href="https://www.npmjs.com/policies/security" rel="nofollow">https://www.npmjs.com/policies/security</a> govern testing of all NodeJS modules that are available via npm, or does this policy relate to the software that provides the operational infrastructure for npm itself?