It should be possible to generate a list of package versions uploaded before September 2020, sorted by number of weekly downloads, to empower users of those packages to upgrade to a newer version (if there is one) or file an issue against that package asking for a release of a new patch version (if there isn't).
Unfortunately, the number of weekly downloads wouldn't give much indication of how many people were affected, since some of the downloads will be by bots or eager CI systems, and some organisations cache packages locally after the first download.
That's great, thank you! Does it check recursive dependencies, and could you make it work against a package you haven't installed yet, by specifying the package name as an argument, rather than it only looking at what's already installed?
If that's possible, it would be really good to then run it against a list of popular packages, like [1] or [2], and report back which packages are the highest priority for getting version bumps (or at least for having someone manually check that the code in the package matches the code in its repo, which we assume an attacker didn't have control over).
It's cynical, I know, but can't keep from wondering whether your npm package has already been compromised by another hidden flaw to prevent us from finding out which older ones are at risk?
Unfortunately, the number of weekly downloads wouldn't give much indication of how many people were affected, since some of the downloads will be by bots or eager CI systems, and some organisations cache packages locally after the first download.