|
|
|
|
|
|
by smt88
3079 days ago
|
|
|
As others have said countless times on the original thread: new packages from different users should never have been allowed to replace the missing packages. Even if a package is removed as malware, a user should never unexpectedly download the work of a totally new author that they haven't vetted. Some of the protections should be done on the user side, but that's no reason for NPM to have dangerous policies. |
|
|
Oversight != 'dangerous policies'. Seems like they thought they had this fixed.