Your suggestion is that I should reimplement React from scratch to avoid supply chain attacks. Like an American fab should extract ore locally to prevent shortages.

If you ignore the other half of the suggestion, yeah. Designating trusted reviewers to audit dependencies like React would be downright cheap at scale. The issue is just setting up and popularizing the systems to achieve this. It’s a little harder than it should be because lots of companies don’t take software security seriously enough.

(And hey, if anyone is looking for people to do this kind of work for their node_modules at very low cost, I’m available right now! `unfrosted_handsaw${107 * 2}@simplelogin.com`)