There's no excuse to leave critical JS infrastructure this vulnerable to supply chain attacks, thanks to LavaMoat from @metamask. Hasn't been for a few years, but if it takes a big hack to get you to think longer term, then I recommend you seize the opportunity: https://github.com/LavaMoat/LavaMoat