Comment by greatgib

In my opinion the problem has more to do with the whole corporate software ecosystem having lost past good practices:

Before you were never to use a public version of something as-is. Each company was having their own corporate repository with each new version of dependencies being carefully curated before being added to the repository.

Normally you should not update anything without at least looking at the release note differential to understand why you update but nowadays people add or update whatever package without even looking.

You just have to look at how many downloads got typosquated clones of famous projects.

For me it is even bad for the whole ecosystem as everyone is doing that, the one still doing that are at odd, slower and less nimble. And so there is a dumping with no one anymore committed to pay the cost of having serious software practices.

In my opinion, node, npm and the js ecosystem are responsible in a big part of the current situation. Pushing people and newbies to wrong practices. Cf all the "is-*x packages...