Don't get me wrong I love getting 300 dependabot updates per day. It's a huge productivity booster and even if you devote 1/2 your dev team to keeping this shit up to date, you'd still be vulnerable to repo-jacking, because the entire pkg ecosystem is broken. The other thing i love about npm and pypi is the way a single small team will re-download in ci (regardless of caching) a TiB of packages all day long for no reason. Love waiting for gh actions to re-import infinite packages for the nth time before it times out and you restart it manually. makes so much sense. Great work all. glad openai is putting the nails in this retard coffin.