That’s a very interesting thought and I agree: https://benhoyt.com/writings/dependencies/

@lyse@lyse.isobeef.org Indeed. Very unpopular, though. I’ve long given up that fight at work.

In reality, there are too few real incidents. It doesn’t hurt enough. It’s always: “Something could happen!” But we’ve never been hit big time by an attack like this … so I just look like a paranoid idiot.

@movq@www.uninformativ.de Yeah. Unfortunately. :-( I tried to bring up the subject of dependency upgrade reviews a few times, but nobody else cared. We finally experienced a supply chain attack (luckily, didn’t turn out too horrible for us, could have been worse) and this got the discussion slowly rolling again. So, publication of this article is perfect timing. Let’s see. Admittedly, I don’t have high hopes. And I bet someone suggests to use AI agents…