You say this like there's not much difference between the two, but there's a world of difference.
One is someone yanking a repo and breaking millions of builds across the world and the maintainers of npm stepping in to fix things (in a move that is still controversial, mind you).
The other is the maintainers of the WordPress plugin repository starting a self-described "nuclear war" with the plugin maintainers, banning them from the repo, publicly disclosing a security vulnerability in the plugin, then hijacking it to save the day.
One is a potentially misguided step to solve a real problem. What Matt is doing here is just cosplaying Syndrome from The Incredibles.
> One is someone yanking a repo and breaking millions of builds across the world and the maintainers of npm stepping in to fix things (in a move that is still controversial, mind you).
Thank you for stating the move is still controversial. The root issue people always forget was NOT left pad. It was kik. It was not npm’s to take away from the package maintainer and give to someone else. That was the abuse of trust that caused the maintainer to also yank left pad. I am not this maintainer. I don’t know this maintainer. However, if someone went to my email provider for example Gmail and said I can’t use kik at Gmail dot com anymore and this email address would be given to kik now, I would be furious.
Imagine if Toyota came to New York Times and said the New York Times can’t have a page like nytimes.com/toyota The lawyers at the times would tell them to pound sand and or see you in court.
NPM has never acknowledged its grave error of judgment. In fact, its website doubles down saying it stands by its decision.
If you told me Wordpress dot org would manage to outclown the clowns at npm, I would not believe you and yet here we are.
Who should provide security updates to an open source package when author no longer has access to the repository - voluntarily or otherwise?