[sshine]

In Terraform/OpenTofu you just run into unreliable providers, 3rd party providers that make your supply chain a little questionable, or providers with half-broken APIs that weren’t ever intended to be called via terraform. (How many hashpin their binary third party providers? https://github.com/nix-community/nixpkgs-terraform-providers... is still open after 2 years.)

Not just bad FOSS actors, things just fall apart in every ecosystem over time as actors stop contributing.

More dependencies = more problems. Long dependency chains means more dependencies. IaC generally doesn’t have long chains. But you can still depend on a ton of dockerfiles, images, charts, and the same software that gets packaged ends up with CVEs in images rather than at the library import level.