A surprise contributor merged questionable changes to a library used by the svelte compiler: <a href="https://github.com/A11yance/axobject-query/pull/354">https://github.com/A11yance/axobject-query/pull/354</a><p>Their contributions across the ecosystem hit a nerve in the community so strongly that there is a package scanner for this particular contributor: <a href="https://github.com/rschristian/voldephobia/blob/master/src/pkg/pkgQuery.js#L3">https://github.com/rschristian/voldephobia/blob/master/src/p...</a>