@dougwade @0xabad1dea PyPi, Pub, etc have similar issues, but it is also at the core of what makes them useful (to me, at least, as a user, maintainer and contributor). If you are designing a production system (especially public facing), you should always freeze your package versions and review version updates. If you're dealing with critical or protected data then you are probably legally required to have an external audit.

It would be excellent to have some expert reviews of package updates and new submissions but it would be nice to not have it go the way of R/cran.

It's a trade-off...I will say that it is probably a much bigger problem now, as the sheer volume of packages combined with AI/vibe coding means this is going to cause plenty more incidents and increasing numbers of malicious packages.