It's weird to me that 13 years later npm's security is still primarily handled by third parties. But if Microsoft started charging to secure the registry tomorrow it would probably get yelled at; you can't be the steward of the registry and also try to profit from it, as npm Inc learned painfully.