How Cloudflare’s client-side security made the NPM supply chain attack non-event