Disclosure: I was the Staff Engineering Manager for the npm CLI team between July 2019 & December 2022. I was a part of the GitHub acquistion of npm inc. in 2020. I left GitHub, for various reasons, in December. tldr;a npm package's manifest is published independently from its tarballmanifests are never fully validated against the tarball's contentsthe ecosystem has broadly assumed the contents of
![The massive bug at the heart of the npm ecosystem](https://cdn-ak-scissors.b.st-hatena.com/image/square/4e2b128d6435c923e503bbdd523fb334d7d3db19/height=288;version=1;width=512/https%3A%2F%2Fblog.vlt.sh%2F_next%2Fimage%3Furl%3D%252Fstatic%252Fimages%252Fbanner.png%26w%3D1200%26q%3D75)