Ross Wintle

Today I’m thinking about supply-chain attacks in utilities that are written in Go, Rust etc and compiled.

With tools like esbuild and LightningCSS, we only have a single dependency, rather than the hundreds/thousands of dependencies in the tree for an npm-based tool.

But if something is written in Rust and it’s using some off-the-shelf crate/package, would I know about that?

Do all tools dependent on a library get flagged if a package is found to have an issue?