So, who is going to audit the thousands of new packages/versions that are published to npm every day? It only works for Debian because they hand-pick popular software.

This is maybe where we could start getting into money into the opensource ecosystems.

One idea I've had is that publishing is open as today, but security firms could offer audit signatures.

So a company might pay security firms and only accept updates to packages that have been audited by by 1,2,3 or more of their paid services.

Thus money would be paid in the open to have eyes on changes for popular packages and avoid the problem of that weird lone maintainer in northern Finland being attacked by the Chinese state.

Maybe NPM should hand pick popular packages and we should get away from this idea of every platform should always let everyone publish. Curation is expensive, but it may be worthwhile for mature platforms.