[lvass]

Why didn't crates.io maintainers apply the patch themselves? NPM does meddle with packages when an incident happens like they did with left-pad.

[woodruffw]

I think that would be pretty disruptive, and would break some assumptions around crate integrity that are deeply held.

My understanding is that the left-pad incident is not directly analogous, since it involved restoring a deleted package rather than modifying an extant package.

[eviks]

Do you have a more relevant example of meddling besides a binary block/publish?