[xdissent]

In the case of left-pad, 2538464 of its 2550569 downloads last month are attributed to dependents of the line-numbers package (https://www.npmjs.com/package/line-numbers). So it would appear that relatively few people directly rely on left-pad, which highlights the importance of vetting the dependencies of dependencies.

[habosa]

This is in the description of line-numbers:

DEPRECATED. This is a rather silly package that I do not recommend using. It's easier to copy the ~20 lines of code of this package and customize that code, rather than downloading and learning how to use this package.

[Macha]

Committed five hours ago: https://github.com/lydell/line-numbers/commit/711f6ad0eb1771...

This mess appears to have convinced the author of that.

[nostrademons]

About 2/3 of those (1.7M) were from babel-code-frame, which is a core dependency of babel:

https://www.npmjs.com/package/babel-code-frame

And the fix was just to drop the functionality and inline the function as a no-op:

https://github.com/babel/babel/commit/09287643c712bcd203bbd6...