That seems like a mediocre patch for a problem that wouldn't exist in the first place if you used a centralized package manager.

to be fair, you _should_ probably already be proxying npm and importing from an internal domain (same would be true in any language, really)

The truth is, even with a centralized repository, we're still importing user-code, made by humans that may not be well intentioned or simply not know that their code is vulnerable: proxying within your network and running periodic checks against the content of the local cache would be good practice, no where the code came from