That includes Java (Maven), Ruby (Gems, Bundler), Node (npm), Haskel (stack) etc etc.
Installing code via package managers is the coders equivelant of opening up an exe sent to you in an email.
Code downloaded from the internet is not to be trusted.
Signing packages helps against typosquatting about as much as SSL certificates help against phishing. Or in other words, not at all, especially if we don't have the certificates rooted in real world identities (like EV SSL certs).
That includes Java (Maven), Ruby (Gems, Bundler), Node (npm), Haskel (stack) etc etc.
Installing code via package managers is the coders equivelant of opening up an exe sent to you in an email.
Code downloaded from the internet is not to be trusted.