npm audit isn't enough: I simulated a supply chain attack on my Node dependencies and found what the scanner can't see

npm audit isn't enough: I simulated a supply chain attack on my Node dependencies and found what the scanner can't see The right answer for protecting a Node project's dependencies is don't trust npm audit . I know that sounds wrong — it's the official tool, it's in every doc, the green CI badge tells you you're good. But after running the same vector that destroyed the PyTorch Lightning situation against my own stack, I have to be straight with you: the green badge is the most dangerous part of