My open source projects were not affected but close call. I was using 2 of the dependencies (as sub-dependencies) but older versions. Seems that my philosophy of minimizing the number of dependencies and looking up dependency authors is paying off.

I saw this kind of thing coming years ago. I never understood why people were obsessed with using tiny dependencies to save them 4 lines of code. These useless dependencies getting millions of weekly downloads always seemed very suspicious to me.