Probably goes down as one of the worst large scale blunders of this type given the sheer amount of people affected. It's actually fairly insane that node.js relies on npm like this - isn't it only a matter of time before one of the core node packages gets compromised and someone gets root access to thousands of servers and dev boxes?
Although npm ships with node, the problems aren't because of that.
People have (foolishly, in my opinion) chosen to make npm an integral part of their deployment process, which is why this change has broken a lot of people's deployments. They're going against the official npm recommendation [1], which is to check your dependencies into your source repository and not use npm in deployment scripts. (A good idea with any package manager, imo. [2])
Not that I'm excusing npm; a change like this seems like something they should have taken more carefully.
As an alternative to checking in your dependencies: have your build server 'npm install' your module for testing, then archive the directory tree. Deploy from the archive.
Yum (and I seem to recall up2date) have had certificates revoked before (due to compromises on the upstream packaging system) requiring everybody to re-import a good certificate before updates will work again.
Now, system updates are a different beast than tying your development process into Magic Hosted Things In Internetland, but certificates on things have been changed before and they will be changed again. Just have to keep aware of how your systems work and what they depend on, which goes against modern "javascript with a double large lack of knowledge" development.
