The npm / event-stream incident is the perfect teaching moment for POLA (Principle of Least Authority), and for the need to support least authority for JavaScript libraries.
At the recent (November 2018) tc39 meeting, I presented on the enhancements needed to support least authority for JavaScript modules and libraries, adequate to have prevented this incident.
Besides es-discuss
would be a good place to discuss these issues.
--