I agree with much of what you said here, but is it really just about the package manager? If I had specified this repo's git url with a specific version number or sha directly in my package.json, the outcome would be just about the same. And so that's not really an end-run around version control at that point. Even with npm out of the picture the problem is still there.

▲

Gigachad 3 hours ago | parent [-]

The root problem is the OS allows npm packages to grab your WhatsApp messages without the user knowing.

	▲	wincy 3 hours ago \| parent [-]
		This is an npm package that allows you to interact with WhatsApp using their API. The OS wouldn’t prevent this as it’s not interacting with your WhatsApp on your machine, but rather logging you in via a skillfully made 3rd party interface, that unfortunately happens to also be evil.