[raesene9]

That's a view of course (although in the case of gVisor they don't actually do versioned build just nightlies) but here's a question.

As a consumer of software libraries, have you ever looked into the security practices of the library author before choosing whether to use it or not?

[ryanbrunner]

This is becoming increasingly impractical for certain ecosystems as packages depend on packages, which depend on packages, etc. It's less of a problem with the bundler ecosystem, where larger packages with relatively few dependencies is more standard, but in the JS world installing a package means that you're likely installing tens or hundreds of sub-dependencies.

[rubber_duck]

I did review two small libs I was pulling that had very few users (and froze the version) But that's just the thing - I will never be in a position to do that for more than a few libs - that's why the best I can do is rely on source enforcing good practices and community audits.