>> The security failure is in an ecosystem that allows packages to run arbitrary code silently.

> No, your security failure is that you use a package manager that allows third-parties push arbitrary code into your product with no oversight.

How about both? It’s conceptually straightforward to build a language in which code cannot do anything other than read its inputs, consume resources, and produce correctly typed output.

This would not fully solve the supply chain problem — malicious code could produce maliciously incorrect output or exploit side channels, but the exposure would be much, much less than it is now.