6
Today's compromised npm package: https://github.com/dominictarr/event-stream/issues/116 only had the malicious code in the minified version.
We don't always think of JS as a compiled language, but reproducible/verifiable compilation would have helped here.