![](https://fedia.io/media/7b/96/7b964047ab4ac563d3d0e86f6806dc6c7ef8cfbd8c5569d6782490951b98b565.jpg)
![](https://fry.gs/pictrs/image/c6832070-8625-4688-b9e5-5d519541e092.png)
In my experience, first-party JavaScript is more likely to be updated so rarely that bugs and exploits are more likely than supply chain attacks. If I heard about NPM getting attacked as often as I hear about CDNs getting attacked, I’d be more concerned.
Just went ahead and Googled it and I can find no credible source that he actually said these words at any time. So, if you’d like to bandy out that source, I think we’d all appreciate it.