@poller In terms of NPM's history:

NPM's problems were made worse by the impact of its response to the left-padd incident in 2016, after it was capitalized. Instead of making efforts to ensure "Same Publisher", they said "No deletions".

The "Everything" package incident was in 2024, which highlighted an issue with this model. Several issues actually, but we should focus on "If there is something critically wrong with a package, the problem cannot be resolved by the developer".

Essentially, NPM had a position of corporate control when it made mistakes and had warning - and NPM should have had the benefit of being a proprietary project at each of those times.

More importantly though

We -- as a community -- must focus on designing security from day 0.

This is probably not terribly practical (projects start because people want the ability to do things. Security gets added as understanding of the thing improves. Preferably added in a well integrated way), but perhaps more importantly - this is NOT the argument you made.

Security from day 0 is not "Hire a bunch of experts" - a very expensive task for little gain. It's security by design. It's "Understand scope", and "Be honest about what your community can handle, especially to yourself. If a major company is sending tons of security notices to you, refuse or demand payment, cause clearly they are using your tool in a way you can't support.".

Pretty much every "solution" you discussed involves a LOT of experts, and no consideration for structure (what do you expose), respecting the dependency project's scope, or being intentional about dependency upgrades (or dependencies themselves!). From my perspective, that is selling security as a product, not a mindset. Trying to turn software into corporate only, not resolving issues in Open Source.