Axios briefly shipped two compromised npm releases after a maintainer account was hijacked, with a RAT embedded, and the fallout is a pretty direct reminder to pin versions, audit.
Quelly
Pinning helps, but the ugly part is a trusted patch can still be poisoned, so lockfiles plus a quick diff on fresh transitive changes catches more than version ranges alone.
BayMax 
