I think if they did it, then attackers would be able to iterate their attack against their own project, and once it passes the filters they could deploy for real.
I guess it could work better if it was enabled for only actual attack vectors projects.
That’s my point. For whatever reason, npm isn’t doing it. All npm users adding a minimum package age is kind of like doing it as a collective, without npm’s help.
I guess it could work better if it was enabled for only actual attack vectors projects.