fix: bolding whitespace (#1183)

ferdnyc · web-flow · commit 6f05dadd185d · 2024-07-08T07:32:31.000-07:00
&lt;!-- What / Why --&gt;
&lt;!-- Describe the request in detail. What it does and why it's being
changed. --&gt;

This extremely minor PR repairs MarkDown syntax in the
threats-and-mitigations document to correctly bold-face a portion of the
text. (Which was broken due to the markup being inserted as `the**
email... address**.` instead of `the **email... address**.`)


## References
&lt;!-- Examples:
  Related to #0
  Depends on #0
  Blocked by #0
  Fixes #0
  Closes #0
--&gt;
diff --git a/content/threats-and-mitigations/index.mdx b/content/threats-and-mitigations/index.mdx
@@ -18,7 +18,7 @@ We also recognize that passwords aren’t going away any time soon. For users th
 
 Another method used to take over an account is by identifying accounts using an expired domain for their email address. An attacker could register the expired domain and recreate the email address used to register the account. With access to an account's registered email address an attacker could take over an account not protected by 2FA via a password reset.
 
-When a package is published the email address associated with the account, **at the time the package was published**, is included in the public metadata. Attackers are able to utilize this public data to identify accounts that might be susceptible to account takeover. It is important to note that the** email addresses stored in public metadata of packages are not updated when a maintainer updates their email address**. As such crawling public metadata to identify accounts susceptible to expired domain takeover will result in false positives, accounts that appear to be vulnerable but are not.
+When a package is published the email address associated with the account, **at the time the package was published**, is included in the public metadata. Attackers are able to utilize this public data to identify accounts that might be susceptible to account takeover. It is important to note that the **email addresses stored in public metadata of packages are not updated when a maintainer updates their email address**. As such crawling public metadata to identify accounts susceptible to expired domain takeover will result in false positives, accounts that appear to be vulnerable but are not.
 
 npm does periodically check if accounts email addresses have expired domains or invalid MX records. When the domain has expired, we disable the account from doing a password reset and require the user to undergo account recovery or go through a successful authentication flow before they can reset their password.
 
