We don’t solve malicious code injected into packages by not re-using components just because s/o else wrote them.
If you have code in pull requests that you don’t know what it does, maybe we shouldn’t accept it? Maybe we shouldn’t rely on volunteers for critical infrastructure?
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!