I’m a (begrudging) TS/Node developer who has previously spent over a decade in the .Net ecosystem, and I would like to point out that this kind of @&/%} doesn’t happen in other ecosystems.<p>It should <i>not</i> take a 3rd party like GitHub to notify you that there’s a security hole in a hugely popular package. If the NPM registry can’t do any better self-policing than they already do, they should at least start tagging packages with “verified” or “official” like Docker does.<p>I would also say they should start advocating for experienced developers. The “even or odd” package getting hacked should have been a call to order, but apparently it wasn’t.