some user have received an email from GitHub :
This is due to old package in npm that must normally not interfere : https://www.npmjs.com/package/mariadb
0.7.0 a month ago
0.0.2-security a year ago
1.0.2 a year ago
1.0.1 a year ago
0.0.1-security a year ago
Those 1.0.1 and 1.0.2 version have not to interfere but still are.
Mail has been sent to npm to see if those can be totally removed.