npm install ask for confirmation when adding new/unpopular packages

[arye-eidelman]

How about when installing a package (for the first time) that was published within a month or has less than a thousand downloads there would be a confirmation prompt.

npm install electorn
electorn only has 255 downloads. Is that what you meant? [Y/N]

Or {x} had been published {y} days ago. Is that what your looking for? [Y/N]

If a publisher has other packages that pass the threshold then this would be skipped for their new packages.

Maybe this can reduce the likely hood of typosquatting attempts like This one found by Sonatype.

Potential issues

• Niche packages might be negatively affected by this. Maybe this can be addressed by reducing the download threshold after a year for example.

• New packages might have a harder time gaining traction.

• This just adds more noise without much affect.

[lirantal]

Considering that I created npq exactly for this I'm obviously all for it if we can have this as a default package manager behavior and nailing down a great developer experience.

[remyrylan]

Huge thumbs up from me for getting this implemented directly in npm. I had no idea npq existed, but I'm adding it everywhere now.

[lirantal]

Thanks, appreciate the kind words. Hoping to see this becoming more mainstream so we can drive more awareness for security concerns.