[kevin_thibedeau]

The root problem is no stdlib and a language design riddled with edge case foot guns that are easy to miss in what should be trivial code.

[Ajedi32]

Again, that's only an aggravating factor, not the root cause. Supply chain attacks can happen in literally any language that has a package manager.

Here's a similar issue that occurred with Python's PIP just this year: https://portswigger.net/daily-swig/dependency-confusion-atta...