I maintain a package with 200k weekly downloads. I do this for free, at night, while holding a full-time job. npm now wants me to add mandatory 2FA, sign releases, submit to a security audit process, and attend quarterly reviews. I have a toddler. I'm going to archive the repo.