Created attachment 154447 [details]
NPM doesn't currently support package authentication, therefore subjecting users to the possibility of MITM attacks. For reference see this discussion here https://github.com/node-forward/discussions/issues/29
Additionally, npm allows to download GitHub projects without any verification in direct from developer to user system fashion, see https://docs.npmjs.com/cli/install
Patch adds security advisories as pkg-message
Seems reasonable to me, but I'll let the port maintainer weigh in.
Maintainer timeout. Open to take.
I do not think it's necessary to add such message.