@frederic@chaos.social how is this even worth publishing. *of course* a public registry is vulnerable to this, and none of that is vscode or npm specific. making it out to be is bullshit