One more reason to use @pnpm.io and @npmx.dev:
trust policy downgrade becomes visible and preventable
Haoqun Jiang
🚨 Active supply chain attack on [email protected]. The latest version pulls in [email protected] -- a brand-new package that didn't exist before today.
We're still investigating. If you use axios, pin your version and audit your lockfile. socket.dev/blog/axios-n...
socket.dev
A supply chain attack on Axios introduced a malicious dependency, [email protected], published minutes earlier and absent from the project’s GitHu...
