Trouble is, if they do that, someone else will quickly replace them, take over the same function, and users will likely not notice that they are now trusting a different unverifiable entity to ensure package integrity
Users will continue to trust what comes packages with node. Nothing needs to change from a user's perspective. They will still type npm ... But it will point to a new infrastructure (and more importantly led by nobody currently leading npm).
If node wants to do this, I think they totally can. There just needs to be the will to cut off and blacklist the current npm team.
If node wants to do this, I think they totally can. There just needs to be the will to cut off and blacklist the current npm team.