In light of the hack last week to Axios’ npm package, some are suggesting that using npm’s new minimum-release-age feature can be helpful E.g.
meteor npm config set minimum-release-age 10080
…will block any package less than 7 days old. The perhaps-optimistic plan is that hacked packages will be discovered in less than 7 days.
The current version of npm in Meteor 3.4, is 10.9.4, and minimum-release-age was first included in npm v11.10.0 .
No doubt an upcoming Meteor release will bump npm to v11.10.0 or higher. 