The eternal flaw of NPM (and Cargo, and PyPI and so on) is that they allow namesquatting at all. It should be that you can only publish into your own user's namespace. So if I upload the "foobar" library to NPM, it can be imported as "user/majewsky/foobar" or something. And if you upload one with the same name, it would be under "user/hughw/foobar". The review barrier would be to obtain an alias into the main namespace: If I wanted to have my library be just "foobar", I would have to apply for my own library to be aliased to that name. And then there could have to be some sort of notability requirement for those "nice" names.