that’s just a vulnerability in a dependency. a supply-chain attack is introducing malicious code in a dependency