SAN FRANCISCO, CA - In the wake of a devastating supply chain attack in the npm registry that left millions of enterprise applications compromised and billions of user records exposed, developers across the JavaScript ecosystem expressed deep sorrow today, lamenting that such a crisis was completely unavoidable.
“It’s a shame, but what can you do? This is just the price of building modern web apps,” said Senior Frontend Engineer Mark Vance, echoing the sentiments of a community that completely relies on a 40-level-deep nested tree of unvetted packages maintained by pseudonymous strangers to capitalize a single string. “There’s absolutely no way to foresee or prevent someone from taking over a long-abandoned utility package and injecting a crypto-miner into every production build in the world. It’s just an act of nature.”
Crates.io does support trusted publishing for GitHub and gitlab. It’s not much, but it’s Honest work.
… I which it supported forgego
It’s not enforced though, and there’s no way as a consumer to see how a crate was published.
To be extremely fair, crates.io has a huge maintenance bottleneck because AFAIK it doesn’t even have a single dedicated developer. But that’s definitely a big part of the problem.
The Rust Foundation is really just not pulling in enough revenue to support the project properly. They really ought to figure out more revenue streams than just sponsorships and donations.