[mjr00]

You presume very incorrectly to say the least.

The npm supply chain attacks were only an issue if you don't use lock files. In fact they were a great example of why you shouldn't blindly upgrade to the latest packages when they are available.

[wowohwow]

Fair enough, which is why I called out my assumption:).

I'm referring to the all hands on deck nature of responding to security issues not the best practice. For many, the NPM issue was an all hands on deck.

[stavros]

Wait what? I've been wondering why people have been fussing over supply chain vulnerabilities, but I thought they mostly meant "we don't want to get unlucky and upgrade, merge the PR, test, and build the container before the malicious commit is pushed".

Who doesn't use lockfiles? Aren't they the default everywhere now? I really thought npm uses them by default.