What if?
What if you have reviewed what you imported but the maintainer behind that package is using some dumb email address like blabla@expireddomain.com , and after a few months some malicious actor claims the expireddomain.com and pushes a new update on that package (maybe an urgent security update) in that case there is a possibility that you update that package (as you would assume that you had reviewed the package initially) and go on with updating but now the updated one would have that malicious stuff.
In short, the first maintainer or developer was not malicious but was dumb or ignorant to use an email address that would not be maintained after a few years leaving it expired and claimable which eventually means the access of maintainer level to some NPM package unclaimed available for some malicious owner.
Your strategy is good but the defense strategy in this article is for these types of cases.
Biting the hand that feeds IT
