GHSA-pjwm-rvh2-c87w VS crater

The SUNSPOT malware, Codecov breach, and lot of compromised open-source packages (like was the case with ua-parser-js) target the CI/ CD pipeline to modify release build or exfiltrate credentials.

I think you are misunderstanding the attack vector in the article you linked. This isn't the same thing we were discussing, please see https://github.com/advisories/GHSA-pjwm-rvh2-c87w. This was not a compromise designed to go after the visitors of the website so far as I can tell (and even if it were, it couldn't do much except possibly steal a password if you entered it on a compromised site or steal cookie data). This was designed to target people who were using the library in their software, aka, it was targeting the build-chain of the developers, and many devs and companies as a result had computers compromised when the updated their versions, which caused the compromised version to download to their computers.

Github has published an advisory for the package https://github.com/advisories/GHSA-pjwm-rvh2-c87w

yup, they reference it as an inspiration: https://github.com/rust-lang/crater

it's probably impossible to automate an entire ecosystem, and there is value to enabling a tighter integration within a project ecosystem (a subset of the language ecosystem).

Rather than hypothesising about an imagined tool you could look at the actual tool which of course is in Rust's source code repo: https://github.com/rust-lang/crater

> new proposed C++ changes - are checked against only easily and "well-known" accessible package.

Now that I have, so to say, shown you mine, lets see yours. Where is the tool to perform these checks in C++?

The "break things" part of "move fast" is not essential, Rust cares so much about breakage they literally compile and run the tests for every crate on crates.io and github using a tool called Crater. They do this just to test changes, even for stuff thats documented to be unstable, because thats just courtesy. And tooling makes it trivial to switch between Rust versions.

The bot's named Crater if you want to look into it more.

See https://github.com/rust-lang/crater

Rust compiler developers use a tool called Crater to test potentially breaking compiler changes on all crates (Rust's name for libraries) uploaded to the official repository. If plugin stability is the issue, maybe a solution along these lines would be better than merging these plugins to Neovim's core?

https://github.com/rust-lang/crater is the bot they use to test proposed compiler/stdlib changes against slices of the crates.io library up to and including "all of it".

The tool you're referring to is called Crater: https://github.com/rust-lang/crater.

I'm pretty certain this isn't actually true. You should look at the editions, etc. Rust also has an insane guarantee which I am certain C/C++ don't offer: It rebuilds its entire library ecosystem each time it ships to make sure nothing breaks (https://crater.rust-lang.org). I've never seen an instance were old code didn't compile on a new compiler. Rust isn't forwards compatible (new code compiles on an old compiler) of course, but what is?