I was really saying that if there is a compromised version that gets removed from NPM, then the projects using it do not need to be updated, unless of course they had the compromised version pinned.

Though plenty of orgs centralize dependencies with something like artifactory, and run scans.