> To every automated security system, these packages show "0 Dependencies."

With all the faults of npm, I fail to see that as npm fault. That sounds honestly like a security system fault. Why would an audit tool ignore a clearly defined dependency?

More terrifying supply chain attacks against developers