npm really needs to provide a options to set individual packages to only be publishable via trusted publishing.