@lanodan hate to be a contrarian, but yeah, looks normal (insofar as what can be done) to me. there's nothing the 'npmjs package registry' can realistically do about this issue- you should probably think about what the actual fundamental issue is here. there's no way to have any dependencies on anything without reviewing any update of them (any language, etc), without being vulnerable to exactly this, done by someone in there.

there's no way to solve social issues with technology like this- every package registry is 'vulnerable' to the exact same thing. npm can't "prevent" people from uploading anything any more than any registry can, in the same way npm can't solve people getting bullied in primary school.

what would your solution be? let me guess- it would be a bunch more 'middlemen' in the middle 'reviewing every change to anything', which obviously doesn't scale, because if it did, it would be what everyone would use, but evidently javascript developers(and further, pretty much literally every language nowadays!) don't. you should think as to why that is. it's not as simple as "everything sucks lol they should just not do it, they just picked the wrong model".

as for the direct marks:

elegant: subjective, not relevant (marketing)
productive: subjective, not relevant (marketing)
17 million: this might even be too small tbh
safe: believe it or not, somewhat subjective, but the only things for npm to do in this regard is stuff like:

- automatic screening with various metrics (this is basically a false-positive fest and idk if anyone does this at all)
- good account protection so things don't get hijacked (they don't do this worse than anyone else afaik)
- good ''architecture'' so someone doesn't just get access to all the packages somehow and can replace something that exists, usual defence stuff (afaik they do do this, like the other package registries)

that's basically it. everything else is social- you cannot 'fix' that in any registry. npm is just all anyone hears about because it's by far the most widely used, so by absolute scale it's the "worst" one. i don't hear anyone complaining about git submodules though, or makefiles that 'fetch a tarball', ... where the scope of 'safety' is exactly the same as this, with the same potential bad outcomes, and usually the exact same attack models.