Things which could help against NPM supply chain attacks similar to one which happened today:

- prefer specific pkg versions instead of ranges (2.0.0 not ^2.0.0)

- prefer rare dep updates (once per 3mo or so)

For pkg authors:

- publish from github ci

- do not store npm tokens on a dev machine

- while publishing from github ci, enable provenance for transparency & pin workflow hashes (fresh policy)

Bio