Integrating something like https://nodesecurity.io/opensource or https://snyk.io into you're CI process will help flag issues you may want to know about if they are disclosed / discovered.

And yes, I get the irony of adding another dependency to help with the security mess caused by the node ecosystem's bent towards external untrusted / unverified dependencies.

Not a js dev, but it seems like when doing a compare if a package already exists, hyphens should be removed (so "crossenv" and "cross-env" are considered identical). "js" seems like needless verbosity, maybe take that out too.

I wouldn't doubt that there are package names that would collide because of such a change, but that's probably a good thing.

Does npm normalize package names with unicode in them? Would "сrοѕѕ-еnν" be considered equivalent? (Although this would only work if users copy/paste the name).

Gardens. With gardeners. And walls.

And money for all three.

npm has about $10 million, so that shouldn't be a problem.

To be honest? I don't know. Bugs (or malicious end-runs) are only shallow with many eyes, and none of this has eyes on it.