I agree, I just think it's pointless to discuss Axios' commit-signing practices or lack thereof when NPM doesn't support any of it. It seems like axios was already using Trusted Publishing [1] and it still didn't get caught.
You said that you "also" blame NPM, but they're the only party who should get any blame until they get their shit together.
