Yes, but other languages have exponentially fewer packages that install when you add something, making the attack vector smaller and easier to monitor.
The best way to fix this is for library authors to avoid installing as many sub-dependencies as possible (is-odd, being an obvious example). But that’s a fundamental culture problem.
Yes, but other languages have exponentially fewer packages that install when you add something, making the attack vector smaller and easier to monitor.
The best way to fix this is for library authors to avoid installing as many sub-dependencies as possible (is-odd, being an obvious example). But that’s a fundamental culture problem.