I've been doing tons of js supply chain work lately - it already has been a shitshow for a couple of years but now it's getting really bad. Some packages are seeing multiple vulns per week, and at the same time we have multiple concurrent attacks that are easy to be missed.

-pinning. May even be the same maintenance spend if you're actually checking diffs.

devs

🚨 CRITICAL: supply chain attack on axios

justin_shocknet

Thanks for sharing!

I've been doing tons of js supply chain work lately - it already has been a shitshow for a couple of years but now it's getting really bad. Some packages are seeing multiple vulns per week, and at the same time we have multiple concurrent attacks that are easy to be missed.

I'm thinking of `=`-pinning instead of `^`-pinning. May even be the same maintenance spend if you're actually checking diffs.

<sub>PS: </sub>[<sub>threw you guys a PR a while back too</sub>](https://github.com/shocknet/ClinkSDK/pull/15)