Vet your deps isn't some nice-to-have platitude. You own the thing being built. Offloading that responsibility to a clanker is irresponsible.

And everyone is rightfully blaming the user because the software is just some random code on the internet. The sheer audacity and entitlement of the mouth breather class to his free code is astounding. Don't like it? Don't use it. It is that simple.

The "some people are just learning" angle is bullshit. If you're learning with the clanker and just blindly trust what it tells you, that is a categorical error. The clanker is not an infallible oracle but an adversarial bullshit generator. It is a very useful tool, but it is just a tool. You still need to put in the mental effort to learn and exercise your curiosity.

Finally, in today's clanker reality, there is little reason to have a long ass list of dependencies with shitloads of transitive ones. Just build what you need from scratch. Code production is super cheap now. And even if your clanker makes the same security mistakes as the dependencies you would have used, it is now bespoke to your application. The ROI on pwning something like leftpad vs. your bespoke application is so lopsided. The CVEs lose a lot of power in a polyculture.