`In the course of reviewing and acting on spam reports, an npm staffer acted on this flag without further investigating the user and removed the user and all of their packages from the registry.`
Specifically, a policy that allows removing "all of [a user's] packages" based on something related to the user rather than on the packages themselves.
Feels like there should be a disconnect between decisions made about a 'user' and those made about a 'package'.
Once the package is published, there should be an understanding that the package belongs to npm and npm's users, even if the original publisher retains some authority over it.
And if there is cause to ban a user, it should not automatically mean that packages published by the user are affected (aside from removing whatever authority the user had).
`In the course of reviewing and acting on spam reports, an npm staffer acted on this flag without further investigating the user and removed the user and all of their packages from the registry.`
Specifically, a policy that allows removing "all of [a user's] packages" based on something related to the user rather than on the packages themselves.
Feels like there should be a disconnect between decisions made about a 'user' and those made about a 'package'.
Once the package is published, there should be an understanding that the package belongs to npm and npm's users, even if the original publisher retains some authority over it.
And if there is cause to ban a user, it should not automatically mean that packages published by the user are affected (aside from removing whatever authority the user had).