It's part of the ESLint organization, which is what I'm referring to being compromised, not the exact package.

What you're saying is anyhow wrong as far as I can see. ESLint-scope is included by ESLint. Current version uses ^4.0.0 and shouldn't be affected, but versions from before May has the affected ^3.7.1 dependency. This version is also included in webpack, making it a big target anyhow.

> This is _eslint-scope_ which is not included by default with ESLint itself.

Yeah, it is.

https://www.npmjs.com/browse/depended/eslint-scope

are you sure?

  $ json -j version dependencies.eslint-scope < `npm root -g`/eslint/package.json
  {
    "version": "4.19.1",
    "dependencies.eslint-scope": "^3.7.1"
  }

Mods / sctb / dang: can you fix the title? Thanks!

Just replying to self: parent is wrong and I wish I could delete my comment above