alt Hacker NewsStray thought: adding a library the PR submitter controls would be a good starting point for an XZ/SSH-style supply chain attack: badger & threaten the maintainers to add the dependency, and then sneak something into a future library update.
Stray thought: adding a library the PR submitter controls would be a good starting point for an XZ/SSH-style supply chain attack: badger & threaten the maintainers to add the dependency, and then sneak something into a future library update.
This seems like a huge red flag, there is no need to add any more dependencies to an already fully featured repo