And neither does your experience dismiss mine. I have also seen years of vulnerabilities going unnoticed in pinned dependencies four orders transitively removed from anything the developer has ever heard of, of malware being published without review in PyPI and npm, of bitcoin miners and private key sniffers, of bloated and unreliable code from reckless companies who would prefer to save on FTE salaries by leveraging any code they find lying on the street, all while I've seen the package management system I prefer - the one used by Hare - suffer none of these issues.