Security
The Registry Is Not the Trust Boundary
A June 1 Red Hat disclosure shows why supply chain defense is no longer just about dependency versions. If a compromised GitHub account can push malicious code into a package namespace, the real control point is the publish path, the build graph, and the evidence trail you can verify afterward.