[Security] Is this a supply chain attack that targeted tailwind?

[chiro-hiro]

What version of Tailwind CSS are you using?

For example: v3.4.4

What build tool (or framework if it abstracts the build tool) are you using?

For example: postcss-cli 8.3.1

What version of Node.js are you using?

For example: v18.20.3

What browser are you using?

For example: Chrome

What operating system are you using?

For example: macOS

Reproduction URL

N/A

Describe your issue

I think you guys should check your dependency packages, for instance the package @isaacs/cliui@8.0.2 contains many empty packages, e.g: https://www.npmjs.com/package/string-width-cjs?activeTab=code, and that's weird that the authors of these package is unknown but it was included in @isaacs/cliui@8.0.2 with ~20M downloaded.

  ├─┬ tailwindcss@3.4.4
  │ └─┬ sucrase@3.35.0
  │   ├── @jridgewell/gen-mapping@0.3.5 deduped
  │   ├── commander@4.1.1
  │   ├─┬ glob@10.4.2
  │   │ ├─┬ foreground-child@3.2.1
  │   │ │ ├── cross-spawn@7.0.3 deduped
  │   │ │ └── signal-exit@4.1.0
  │   │ ├─┬ jackspeak@3.4.0
  │   │ │ ├─┬ @isaacs/cliui@8.0.2
  │   │ │ │ ├─┬ string-width-cjs@npm:string-width@4.2.3
  │   │ │ │ │ ├── emoji-regex@8.0.0 deduped
  │   │ │ │ │ ├── is-fullwidth-code-point@3.0.0 deduped
  │   │ │ │ │ └── strip-ansi@6.0.1 deduped
  │   │ │ │ ├─┬ string-width@5.1.2
  │   │ │ │ │ ├── eastasianwidth@0.2.0
  │   │ │ │ │ ├── emoji-regex@9.2.2
  │   │ │ │ │ └── strip-ansi@7.1.0 deduped
  │   │ │ │ ├─┬ strip-ansi-cjs@npm:strip-ansi@6.0.1
  │   │ │ │ │ └── ansi-regex@5.0.1 deduped
  │   │ │ │ ├─┬ strip-ansi@7.1.0
  │   │ │ │ │ └── ansi-regex@6.0.1
  │   │ │ │ ├─┬ wrap-ansi-cjs@npm:wrap-ansi@7.0.0
  │   │ │ │ │ ├── ansi-styles@4.3.0 deduped
  │   │ │ │ │ ├── string-width@4.2.3 deduped
  │   │ │ │ │ └── strip-ansi@6.0.1 deduped
  │   │ │ │ └─┬ wrap-ansi@8.1.0
  │   │ │ │   ├── ansi-styles@6.2.1
  │   │ │ │   ├── string-width@5.1.2 deduped
  │   │ │ │   └── strip-ansi@7.1.0 deduped
  │   │ │ └── @pkgjs/parseargs@0.11.0

[chiro-hiro]

Npmjs parsed package.json wrong