I wonder, do you want to include automatic version updates in the
dependency? In that case you have already trust relationship with the
package author, as any update could come with new malicious code anyway. If
you have already such trust relationship that you trust updates to be OK, I
don't see i
As I understand it, a package author can un-publish their package on
npmjs.com, and somebody else can publish a package with the same name. If I
create a package depends on a package from npmjs.org, I have little
protection against a "bait-and-switch" which could result in unwanted, even
malici