From Researcher hacks over 35 tech firms in novel supply chain attack
Birsan noticed some of the manifest file packages were not present on the public npm repository but were instead PayPal’s privately created npm packages, used and stored internally by the company.
On seeing this, the researcher wondered, should a package by the same name exist in the public npm repository, in addition to a private NodeJS repository, which one would get priority?
…
Birsan soon realized, should a dependency package used by an application exist in both a public open-source repository and your private build, the public package would get priority and be pulled instead – without needing any action from the developer.
So I guess the question is–does opam allow using both a private and a public repository in the same project, and does it automatically prioritize the public version of a package when solving for dependencies?