DigiNews

Summary

The article critiques npm and PyPI for not being source-based and highlights how unreproducible bundles and attestation gaps create supply chain risks. It uses concrete examples (OpenClaw, Express, Vite, Rolldown) to show how transitive dependencies and unpinned build environments undermine reproducibility, and it discusses potential improvements such as source pinning, submodules, and alternative build ecosystems like Nix/Guix. It also notes attestation as helpful but insufficient on its own.