2-day-old GitHub account added AI-generated dependency to Mailgen (2.5k stars) (opens in new tab)

While everything said here is true, I find that in JavaScript world depending on a package that was last changed 8 years ago, complete as it may be, is asking for trouble. For your case, I couldn't find the link to the package the account was changing, so I can't tell how big of a risk keeping the previous dependency is.