🤔 Today I’m thinking about supply-chain attacks in utilities that are written in Go, Rust etc and compiled.
With tools like esbuild and LightningCSS, we only have a single dependency, rather than the hundreds/thousands of dependencies in the tree for an npm-based tool.
But if something is written in Rust and it’s using some off-the-shelf crate/package, would I know about that?
Do all tools dependent on a library get flagged if a package is found to have an issue?