GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning
R (largely and by default) relies on CRAN, and they are extremely selective about what packages they accept, including testing new package versions against downstream packages before publishing an update, etc. That largely mitigates many of the concerns of some random 10 layer deep dependency getting swapped for something malicious.
R (largely and by default) relies on CRAN, and they are extremely selective about what packages they accept, including testing new package versions against downstream packages before publishing an update, etc. That largely mitigates many of the concerns of some random 10 layer deep dependency getting swapped for something malicious.