[cyberbanjo]

Can you prevent these types of attacks simply by pinning dependencies to known-safe versions?

Because you mention supply-chain attacks, I assume you're familiar with Nix/Guix linux distributions/package managers?

[verdverm]

Go's dependency management is pretty sophisticated w.r.t. mitigating supply chain attacks.

I'm working on a post about it

https://verdverm.com/go-mods/

[warrenm]

That's not a language thing, though - that's a dependency management thing :)

[verdverm]

It's both, for example parsing an import string, or what makes a valid module name, are part of the language. These have restrictions that prevent Unicode glyph attacks.

The fact that imports require a domain name prefix prevents dependency confusion.

[warrenm]

All the language (and really the interpreter/compiler) is doing in this example is making sure you haven't done something silly like try to assign a `char ` to a `long double`

That's barely* addressing supply chain attacks

Linguistically, an import of `bubbleglyph.myimport` is no different than `bubbleglypf.myimport` (except for one [valid] character) - nor would importing it from repository A be any different than repository B

You sitll have to rely on outside-the-language security checks to ensure you're getting

1) what you want

2) from where you want

3) and that it's "correct"/"safe" to use