R has the same problems as far as I’m aware, though it doesn’t form the core of a lot of modern CI of course!
GitHub Actions Has a Package Manager, and It Might Be the Worst
Submitted 4 weeks ago by vogi@piefed.social to technology@lemmy.world
https://nesbitt.io/2025/12/06/github-actions-package-manager.html
Comments
Piatro@programming.dev 4 weeks ago
festus@lemmy.ca 4 weeks ago
R (largely and by default) relies on CRAN, and they are extremely selective about what packages they accept, including testing new package versions against downstream packages before publishing an update, etc. That largely mitigates many of the concerns of some random 10 layer deep dependency getting swapped for something malicious.
killeronthecorner@lemmy.world 4 weeks ago
Sounds expensive too.
Ahhh, I get it now.