even with everything, given the norms of lock files for even the most basic of web apps, you're still at "need to roll out a client update".

Now that's not to say that something can't be sneaked into other work! But the bar is a bit higher than "take over a dependency"

that's what happend to solarwinds, it out worked pretty well for the hackers there

Web apps are potentially re-downloaded every time you use them.