The travelling salesman problem is typically described as NP hard, whereas avoiding a supply chain attack on your package manager is apparently NPM hard…