This is a good reminder that npm's package-lock is very stable and will prevent attackers replacing packages in existing projects: https://docs.npmjs.com/files/package-lock.json https://twitter.com/coderbyheart/status/949824670018293760