This makes me think whether npm (and other registries) should apply security requirements based on ecosystem impact. Example a package having millions of downloads can have special security measures enforced.
What would be a security measure that should only be selectively enforced?
What would be a security measure that should only be selectively enforced?