How does your company protect itself against supply chain attacks on NPM? At my company, we try to keep dependencies at a minimum, but I doubt this is effective as a protective measure.
State exact versions and checksums of all deps plus run your own server hosting the deps and firewall it from accessing the internet at large. Only update deps when needed. This is what we have to do in our env.
