I feel like instead of disallowing people to pull their packages from npm the actual solution should've been to have another company crop up that just cached packages on npm

then the devs that think this level of security applies to them can pull packages from the cached service and there's no such shenanigans like the "everything" package

and people on npm can still unpublish

not being able to unpublish is so authoritarian... but caching is "I'm not responsible for this anymore so who cares"
similarly the cached service shouldn't pull in everything but only things people called for

because in a bunch of my project if something is pulled I'm totally fine with rolling my own or finding something else

but for corporate projects that would be hell for them. they have different needs.

let's be real, there needs to be the 4chan of packages