A lot of libraries are maintained by a single person.
replyAre those the ones typically involved in supply chain attacks?
replyThere are no perfect solutions; but, let's be reasonable.
Actually, yes, they are the prime targets: https://en.wikipedia.org/wiki/Npm_left-pad_incident or seemingly https://en.wikipedia.org/wiki/XZ_Utils_backdoor as well.
replyxz has dozens of contributors and two active maintainers. It was the actual example I was thinking of. The code was submitted by a third party and not a result of a developer machine compromise.
replyleft pad wasn't a security incident. It was a capitalism incident.