> "even if they've been a malicious actor the whole time"
That is a sound argument, even if integrity of the package was to check out (if npm tracks this internally at all).
Better to adopt a PyPI-style approach of temporarily "quarantining" packages while investigating allegations of malware for big-scale projects. Instead npm pulled the plug outright stating: "This package contained malicious code and was removed from the registry..." (generic placeholder page), which is inaccurate and likely to cause panic.
https://www.npmjs.com/package/stylus
That is a sound argument, even if integrity of the package was to check out (if npm tracks this internally at all).
Better to adopt a PyPI-style approach of temporarily "quarantining" packages while investigating allegations of malware for big-scale projects. Instead npm pulled the plug outright stating: "This package contained malicious code and was removed from the registry..." (generic placeholder page), which is inaccurate and likely to cause panic. https://www.npmjs.com/package/stylus