@jon @fallenhitokiri when an ecosystem enables on disgruntled package owner (rightfully in this case - pad-left ) https://archive.is/XMea1 to bring down the internet, it is an active risk (security and otherwise) for any company using the ecosystem. People being diligent about vetting dependencies alone wouldn't suffice.
@chanakya @fallenhitokiri part of proper vetting should be running your own registry with only vetted packages in it, which among other things prevents another company’s lawyers causing a dependency you rely on suddenly being unavailable.
@jon agreed.
However not all companies aka startups have the "luxury" or "capability" to run their own registries. This profligate deficiency is in the DNA and when these companies grow to a scale, they choose to ignore the risks