[qwertox]

I just can't agree with this. The problems npm has are not new, surprising ones. They are happily letting people upload malware.

https://my.diffend.io/npm/coa/2.0.3/2.0.4/

In 2021, why on earth does such a change not trigger a review before release?

[rafaelturk]

I know npm feels like wild west, but you can audit. Its quite a challenge to review imany of the C, C++, libraries out there that are just a .zip file stored in a website.

My point is that: Npm is auditable, trackable. I'm not challenging the bug itself, neither the security issue..

[Kiro]

Trigger a review where and by who?

[qwertox]

The receiving server would trigger it. The first review should be done by the owner, who should be contactable via email and authenticate via 2FA and acknowledge the modification.

Then I'd guess that Microsoft has enough information with NPM's history to train an AI. Specially the modifications made in these versions could easily trigger suspicious activity.

Did you look at the diffs?

Also, three years of inactivity and then a sudden upload should easily trigger a manual review, even if it is by automatically opening an issue with a review request on that project's GitHub page.