I think this is quite a serious issue which has been open for almost a year. I don't understand why there hasn't been a reaction from the npm developers on the issue (as far as I can see). npm 8.3.1 (the current version) is still vulnerable.
It might not be directly exploitable but it can leave you open for all kinds of security and/or stability issues. It is also a regression from npm 6.
I think this is quite a serious issue which has been open for almost a year. I don't understand why there hasn't been a reaction from the npm developers on the issue (as far as I can see). npm 8.3.1 (the current version) is still vulnerable.
It might not be directly exploitable but it can leave you open for all kinds of security and/or stability issues. It is also a regression from npm 6.