[atdt]

What exactly would you have done differently?

Cargo made its debut in 2014, a year before the infamous left-pad incident, and three years before the first large-scale malicious typosquatting attacks hit PyPI and NPM. The risks were not as well-understood then as they are today. And even today it is very far from being a solved problem.

[Ferret7446]

Yet Go is half a decade older and seems to have handled the situation much better.

[pdimitar]

How does it handle better, exactly?

[mayama]

You can write simple http server or rest client with stdlib in Go. No need to include tokio, serde and hundred other cargos which constantly break things. I have apps written in Go more than a decade ago work the same now with recent version of Go. Where as, I had issues with getting few year old github apps in rust compiling and working in rust.

[pdimitar]

I know what you mean about Go vs. Rust here and I've seen it firsthand, though I believe the effect is overblown. I was able to modernize a fairly old project in literal 15 minutes by using Cargo Clippy's fix mode + a few small hand-crafted changes.

To me a rich stdlib is not a selling point. Both ecosystems have a ton of very high-quality libraries.