Last week's Lottie-Player compromise showed how NPM's lack of mandatory security controls continues to make supply chain attacks effective. While investigating popular JavaScript libraries, I found that most don't leverage NPM's provenance attestation, proper version pinning, or SRI checks.

The concerning patterns I found:

- Major packages (react, lodash, express) don't use NPM provenance - Widespread use of @latest tags in production - Missing SRI checks in CDN deployments - No server-side enforcement of attestation - Client-side tooling lacks verification options