[robbie-c]

> I don't like GitHub's security screener dismissing this report because of the "social engineering" aspect.

Agreed.

I get where it comes from, npm isn't responsible for individual contributors getting social-engineered, but this is much deeper than that, and part of the flaw is with npm's support allowing the password reset to go through.

[codingkev]

What do you suggest as an alternative to password reset based on the account email?

[tedunangst]

If you retired the email because the domain expired, maybe don't let it reset existing accounts. It's dead.