What we need is a JS developer to take down an important package from NPM in protest, thus breaking the Internet again.
The NPM fiasco should no longer be possible
If you want to unpublish a package after 72 hours have passed, contact npm Support. For more information about why we don’t allow users to unpublish packages after 72 hours, see our unpublish policy.
https://docs.npmjs.com/unpublishing-packages-from-the-regist...
Not sure how npm works in detail, doesn't it pull directly from devs' repositories? In that case can't the devs just publish an update that breaks everything?
npm allows for installation of specific versions. So even if a dev publishes a new version that breaks you can select a previous version known to work. A good dev shouldn’t be updating willy-nilly to the latest version just because it’s the latest. They ought to spec a particular version and update after testing.