I hope GitHub changes their vibecoded badges, what does RETIRED even signify in this context? Why does the preview have to be in ominous red?

this release fixes a vulnerability reported 10 years ago

https://www.kb.cert.org/vuls/id/319816

didn't know npm was owned by github.. well, that explains things...

They should have added a 1-day age limit by default, so security scanners have some time.

Looks good? But doesn't this just change the compromise window from first installation to first run?