Wait what? I've been wondering why people have been fussing over supply chain vulnerabilities, but I thought they mostly meant "we don't want to get unlucky and upgrade, merge the PR, test, and build the container before the malicious commit is pushed".

Who doesn't use lockfiles? Aren't they the default everywhere now? I really thought npm uses them by default.