I get a red Socket notice for the package "hast" I'm using in my package (at least in the VS Code extension). However, I am only using the "@types/hast" package which is still updated regularly. I think this is probably a more rare case, but wanted to flag it.