Remix clone Hacker News

new | show | ask | jobs Github

	▲	weinzierl 3 hours ago
		"exactly the same software supply chain problem" While the crates ecosystem is certainly not immune to supply chain attacks this over generalization is not justified. There are several features that make crates.io more robust than npm. One of them is that vulnerable versions can be yanked without human intervention. Desperate comments from maintainers like this one[1] from just a few days ago would not happen with crates.io. There are also features not provided by crates.io that make the situation better. For example you could very easily clone the repo and run `cargo vet` to check how many of the packages had human audits. I'd done it if I was on a computer, but a quick glance at the Cargo.lock file makes me confident that you'd get a significant number. [1] https://news.ycombinator.com/item?id=45170687