FYI there is a massive cyberattack on NPM right now, package developers being attacked, nasty commits being added and published, tokens being stolen and used to corrupt more packages. The ecosystem is currently widely corrupted. We just got an advisory from the NZ government about it.
Discussion
This seems to be the move forward https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/
A large number of the commits over the past five years contain JavaScript which is immediately suspect.
Like most people, I have my issues with NPM. But this is a big problem for any platform that hosts large amounts of code. You can't verify that much code for vulnerabilities. Fdroid is probably the most successful at any sort of scale.
wallets using npm were hacked via npm malware in many occasions before i am not aware deep details - this is one loophole
github verify pgp identity n sig is must also
