JFrog says six malicious npm packages used hidden install-time execution, JSONKeeper fetches, and sandbox checks to enable remote access.
Both tools have a point, just different ones ...
Unless your stylesheet is in the same place where you run postcss (process.cwd()), you will need to use from option to make relative imports work. Only transform imports for which the test function ...