Just use dependency cooldown. It will mitigate a lot of risk.

If you started your Node project yesterday, wouldn't that mean you'd get the fix later?

	▲	flexd 7 hours ago \| parent \| next [-]
		no, because if you used dependency cooldown you wouldn't be using the latest version when you start your project, you would be using the one that is <cooldown period> days/versions old edit: but if that's also compromised earlier... \o/
	▲	cluckindan 7 hours ago \| parent \| prev [-]
		Obviously you bypass the cooldown to fix critical issues.