GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning
R (largely and by default) relies on CRAN, and they are extremely selective about what packages they accept, including testing new package versions against downstream packages before publishing an update, etc. That largely mitigates many of the concerns of some random 10 layer deep dependency getting swapped for something malicious.
R has the same problems as far as I’m aware, though it doesn’t form the core of a lot of modern CI of course!
R (largely and by default) relies on CRAN, and they are extremely selective about what packages they accept, including testing new package versions against downstream packages before publishing an update, etc. That largely mitigates many of the concerns of some random 10 layer deep dependency getting swapped for something malicious.