Why npm lockfiles can be a security blindspot for injecting malicious modules(外部記事)