We are distributing trust in a too thin way. Node packages should be grouped in superset packages with a concentrated trust on special maintainers. Makes no sense to upgrade a lot of small packages each time we do a "npm update".