[Snetry]

Users are entitled to the project as far as the License grants them.

It does not enforce how a project is run or distributed.

If the author of is-even deleted his package who can tell him he is in the wrong?

[michaelmrose]

The host who can according to the license continue to host it for the other 99.999% of users. The host for example NPM is the one who owns the service and need not provide the uploader with the privilege of revocation.

[Snetry]

And then if there is a CVE along the way someone has to go and maintain it and thats exactly what no one wants to do

[michaelmrose]

Seems like they could simply provide a way to notify users and service of something like that without providing the ability to unilaterally yank it.

[Snetry]

How are you going to distribute that message? Over NPM? No one is going to read that.

At best the community can stand up and fork which means they have to move ownership to some rando

[michaelmrose]

Well first by communicating with NPM which could take an extraordinary action to break builds in the case where this is the least bad actions or by doing something logical and providing developers or company contacts to register to receive warnings ideally based on parsing actual dep versions and transmitting a message directly to the designated contact for a project.