The last time I pointed this out, some npm dinosaur said npm allows publishing of any type of package so it cannot enforce a structure. Wow, really, that’s exactly what I’m saying. Whose fault is that? So the result is that nobody knows how to publish anything so npm is in shambles.
You can publish a package that has zero files in it, even if it mentions them in main/exports. That’s a very basic check they could do, but they don’t.
Ideally you wouldn’t be able to publish a type=module file that contains “require”, but if npm doesn’t even want to validate the existence of the file, we can never get to how to validate anything else.
At the very least warn the user that they’re publishing a broken package, but still allow it if you must.
