The tension between improvement or regression when updating is real and ubiquitous but it is worse for apps in the npm ecosystem (like Obsidian).

Not only is npm a prominent target but it also does not allow packages to be removed or blocked for usage without a human on their side in the loop.

The result is that they are slow to remove malicious packages and slowing down your own updates helps to mitigate this a little.