Comment by 3np

Re 2: How is that "spoofing"..?

You just demonstrated the uglier package-manager-independent overrides(npm)/resolutions(yarn) aliternative method. Because for whatever reason they couldn't play nice with each other.

npmjs.com seems to be interpreting the field incorrectly but 1) AIUI that does not affect actual npm usage, 2) If you rely on that website for supply-chain-security input I have bridge to sell... Basically all the manifest metadata is taken as-is and if the facts are important they should be separately verified out-of-band. Publishers could arbitrarily assign unassociated authors, repo URL, and so on.

https://docs.npmjs.com/cli/v9/configuring-npm/package-json#o...

https://classic.yarnpkg.com/lang/en/docs/selective-version-r...