[rester324]

Which is a wrong conclusion if I understand you correctly.

You can just host your own package repo and run your own verification to confirm if a package is indeed vulnerable or not. If it's not, you can just continue your operations as usual, regardless of what NPM (the company, the host provider, not the CLI tool) does in the background.

[righthand]

Not if your IT dept is lazy and has to meet some sort of security compliance, then they force the task on you to develop this “own package repo” or just use Dependabot and force your team to create a quarterly ticket to rake the security bugs out of the code.