[verdverm]

It's both, for example parsing an import string, or what makes a valid module name, are part of the language. These have restrictions that prevent Unicode glyph attacks.

The fact that imports require a domain name prefix prevents dependency confusion.

[warrenm]

All the language (and really the interpreter/compiler) is doing in this example is making sure you haven't done something silly like try to assign a `char ` to a `long double`

That's barely* addressing supply chain attacks

Linguistically, an import of `bubbleglyph.myimport` is no different than `bubbleglypf.myimport` (except for one [valid] character) - nor would importing it from repository A be any different than repository B

You sitll have to rely on outside-the-language security checks to ensure you're getting

1) what you want

2) from where you want

3) and that it's "correct"/"safe" to use