Hot take: I blame the modern trend towards containerization of code as a not insignificant partial cause for all the recent package repository breaches being as bad as they are. Okay, hear me out. When a developer had to get her code to actually build on a machine she doesn't have full control over, it's in her own best interest to keep the dependency graph comparatively straightforward and oftentimes statically linked. If she's trying to build on an arbitrary server OS, she won't want her dependency's dependencies's dependency to suddenly be angry about some random library that is installed in a different version and bork the whole thing. So the application and its dependencies remain more tightly coupled. When an application can be shipped in a container, a developer doesn't have to worry about his container image changing unexpectedly. He can define the whole manifest and get it built the same way every time. Which sure, is good for reliability in the sense that it's going to build the same way on a desktop and Azure and AWS and GCP. But that also means it creates weird incentives to just add all sorts of 3rd party libraries to the package manifest whenever he wants without even thinking too hard about it, because why not? As long as it builds in the CI/CD, it'll be fine. A sysadmin won't come along and run an update and break shit, it only gets updated on a redeploy. But of course, now it means that dependency graphs sprawl uncontrollably, because there's way less back pressure to keep your dependencies under control.