From a supply-chain perspective, Cargo is still in the same broad risk category as npm and PyPI: installing packages means trusting externally published code, including code that may execute during build or installation.

Rather than looking for someone to blame - in this case, GitHub - we should focus on constructive ways to harden the ecosystem.

I'm working on a tool for collaboratively reviewing Rust crate dependencies: https://github.com/thirdpass-org/thirdpass

Also supports npm, PyPI, and Ansible Galaxy.