Anant Shrivastava aka anantshri
.
@anant,
This is nice https://giraffesecurity.dev/posts/dependabot-confusion/
TL;DR: if you have internal package name for npm package and someone goes ahead and registers the package in public repo dependabot use to get confused and raise a request to map repo to public npm module.
This is not new #DependencyConfusion has been in wild for some time https://www.csoonline.com/article/3609779/dependency-confusion-explained-another-risk-when-using-open-source-repositories.html and more are there.