Professional software development needs to include a software Bill of Materials to help track and manage things like this. https://www.cisa.gov/sbom
Yeah unfortunately these numbers don’t really allow any conclusions to be drawn at all.
Also they’re not really related to supply chain security which is more about deliberate subterfuge. I think the interesting stat there would be how many authors are being trusted typically for each crate.
I have the feeling that this wasn’t even done properly (e.g. checking default versions only). Using downloads alone is also not a good filter.
I may give this some time tomorrow and provide my own numbers.
It would be good to know how these figures compare to e.g. pypi, npm.
I don’t think cargo-deny alone is enough. And many from Rust ecosystem thinks that if I specified version “1”, it will be enough forever. Many tools nowadays are installed by binstall, so binary will be older and older and won’t receive any updates.
