[keepamovin]

I see the people posting here suggesting isolation for development. While this is a good model, doesn't it suffer from the risk that you are not using the same isolation set up in production, for whatever reason?

In that sense, isolation for develop to solve supply chain security seems a symptom-treater not a cause-treater.

A more extreme approach is to:

minimize dependencies, built a lot in-house, don't update pre-vetted dependencies before another audit

In general, I think a big dependency chain is useful for getting to PoC quickly (and in some cases it's indeed unavoidable, eg. numpy etc), but in building many simplish web apps and client server applications it's feasible to have a very narrow dependency chain, especially back-end. You can even do this front-end if you eschew framework stuff.