Dependencies are liabilities, and any package manager that includes something like build.rs, setup.py, etc is vulnerable to RCE. None of this is news, but it's unnerving that a vast section of our industry seems to either be totally unaware, or totally apathetic.
There's a sort of "layer 0" problem above this which is: requiring 1000 different libraries from 900 different publishers to make a hello world program is going to end in tears. The modern languages need to consolidate into a few stdlib type libraries. Once that's done the problem of assuring the supply chain becomes more tractable.
Python, one of the two languages mentioned in the parent comment, has if anything a standard library that is TOO extensive, as made evident by the ‘dead batteries’ stdlib removal effort.
