I see this kind of comment often, somebody implements a solid security improvement measure and a popular response is "what about x!?"
No, enabling MFA for the most popular packages won't end all security, but also your strategy of targeting subdependencies isn't very good, every dependency of a popular project will be more popular than its dependent parent.
No, enabling MFA for the most popular packages won't end all security, but also your strategy of targeting subdependencies isn't very good, every dependency of a popular project will be more popular than its dependent parent.