How are you securing your NPM dependencies?
There are few obvious things like adding min-release-age, ignore-scripts and save-exact. What other practice we can follow to ensure we are minimizing the damage, especially with chained dependencies.
Freezing the versions in package.json and generally not revisiting unless they have vulnerabilities or there's a compelling reason to update a specific package (which is rare).