Security concerns: linking to an npm package that doesn't link back to this repo #118
Description
@gustavohenke It looks like you are trying to update this package but just haven't published successfully yet. That's great that you are working on it. With that said, I got a bit of a scare today.
What caused me concern is that the npm package package page (https://www.npmjs.com/package/chokidar-cli) points to an org/repo that is not legitimate (open-cli-tools/chokidar-cli) and at first when looking at the content of that repo it seemed to indicate that someone else has control of the source code.
Upon further review I don't think there is any malicious code in the npm package to indicate that they were able to publish, but rather it seems like a case of name squatting on github. It appears previous maintainers renamed the organization and someone was able to snag the old org name (open-npm-tools) and these new owners of that org are saying that they've been able to 'take over' the old org name.
I don't think they can actually do any harm except make people worried, but if we could get a good publish to npm with the now updated homepage and repo fields in the package.json then it might make people a bit less freaked out and thinking that they are pwnd.
Just a heads up. Let me know if you need any help.