You can publish a package that has zero files in it, even if it mentions them in main/exports. That’s a very basic check they could do, but they don’t.
Ideally you wouldn’t be able to publish a type=module file that contains “require”, but if npm doesn’t even want to validate the existence of the file, we can never get to how to validate anything else.
At the very least warn the user that they’re publishing a broken package, but still allow it if you must.
