We are distributing trust in a too thin way. Node packages should be grouped in superset packages with a concentrated trust on special maintainers. Makes no sense to upgrade a lot of small packages each time we do a "npm update".

I'm laughing my ass off... Great and insightful post!

Exactly! In the best place you have to handle it. A nice API can make sense about the operation on the data and help it evolve.

These discussions always creates in my mind a picture of someone saying that we should be refilling all the forms that you have in a cabinet full of hand filled forms because someone decided that a new version of the form requires a new field like an e-mail address.