The Documentation Attack Surface: How npm Libraries Teach Insecure Patterns

Across 5 reviews of high-profile npm libraries (195M+ weekly downloads), I found the same pattern: the code is secure, but the README teaches developers to be insecure. One finding resulted in a GitHub Security Advisory on axios.