[tomphoolery]

These problems exist with every package manager, and every ecosystem of reusable modules that can be downloaded from a 3rd-party location. The problems that `left-pad` caused are minuscule compared to the ones created by Log4J. It's just the trade-off you make when you download a package from the internet vs when you write the code by hand. NPM may have more instances these days because it happens to be the most popular, but CPAN had the same problems over 20 years ago. The next package ecosystem to come along will also inherit a vulnerability to supply chain attacks, being part of the supply chain.

I don't think NPM is the best way to create a package manager, in fact there are many choices they made that I think are rather stupid and led to many more problems than there needed to be (whoever decided that the default for `npm add` should be a caret dependency instead of a tilde should never be allowed to work in the industry again, IMHO). But I'm not going to blame them for a problem that definitely existed in the package management world before them and will continue to exist long after everyone forgets about NPM.

[SomeCallMeTim]

The default should be shrinkwrap, like `yarn`, with the ability to upgrade packages manually when you decide that it's a good time to upgrade packages. I don't like things changes at all without explicit interaction. Services like Snyk will let me know if there's a specific security concern with a package version I'm relying on.

Which is why I use `yarn`, I guess.