This raises a question in my head. If the author was to update the license to something restrictive, consumers and transitive consumers will npm update at some point, and likely not notice the dependency change.

They would then be breaking the license terms without realizing.

Is there anything in npm to protect against this? Projects have hundreds of dependencies, it's not feasible to manually check licenses haven't changed every time you update.