@Solemarc this is an interesting point you raise. I would be interested in seeing any evidence to support this statement.

(Full disclosure I have contributed to PyPi and have used npm and cargo. I am then only aware of two incidents with PyPi in August 2025 and February 2026. Both were then identified, fixed and additional security validation put in place...)

@wnd a quick google search gets me an article where Microsoft reports the mistralai pypi package is compromised. Shai halud also affected pypi, those are probably the most recent.

As for cargo, the latest one I'm aware of is CVE-2026-33056 which happened in March.

But really, it's just common sense isn't it? Central package repos encourage relying on existing packages, so packages also start relying on existing packages. So you want to compromise something everyone is relying on.

@Solemarc

Yep, the way package repos are used these days promotes that kind of thing, which brings me to my reaction:

"This is just the price of building modern web apps,” sounds completely correct, and it's just a shame that this IS the price we all pay for what the industry regards as the form of a modern web app.

It's caveman stuff to not wire in all of that stuff.

...and so cavemen had faster web browsing even on ancient computers :)

@wnd @jbz