Comment by @stani • Hey

Yup Ric def knows, basically the risk is npm packages that might get updated with malicious code