It’s certainly still a viable attack vector though, because who checks all of their transitive dependencies every time dependabot opens a PR haha