RE: @dangoodin@infosec.exchange

Notice how the compromised releases were directly uploaded. This is why `pylock.toml` includes attestation data and trusted publishing is important. If the project used trusted publishing then their the lack of attestation data could have been noticed in a diff of the lock file as it would have suddenly disappeared (which is also why `pylock.toml` was designed to be human-readable).