Dealing with unpublished packages

[xiemaisi]

Looking through the packages with command-line injection vulnerabilities, I noticed that two of them have been unpublished (corenlp-js-interface and corenlp-js-prefab). With npm that is, of course, always a possibility, since both entire packages and individual package versions can be unpublished without prior notice by the owner and by npm staff. Do you have any plans for dealing with that?

Archiving the vulnerable versions might be a possibility, but could put you onto legally problematic ground since sometimes packages are unpublished for legal reasons (typically GDPR violations).