Yes, this exactly. Every single package I administer uses semantic-release, so for the past two months every single package has been failing
I used to have
npm audit in my CI pipeline, but by now it’s been disabled in all of those projects. The odds of a vulnerability in a dependency of
semantic-release causing problems is highly unlikely to put it mildly, but despite many people being interested in an
npm audit --production flag, and a promise that it was a WIP over a year ago, this option still hasn’t materialized.
On top of this, dependabot constantly harasses me about upgrading tar 2.2.1 to 2.2.2. It tries to upgrade it by editing package-lock.json directly, apparently, but to no avail because the next time you
npm install, npm will helpfully downgrade the package for you, thanks to the fact that npm pacakge uses bundled dependencies.
And if none of that sways you, npm has been shipping a product with a known security vulnerability for the past two months (and tar is their own package, so it’s not like they were waiting on someone else to fix it).