2) Recursive dependencies massively increase that risk.
3) You should check all your dependencies into your repo, or at least some kind of manifest with secured signatures of those dependencies, and never automatically update dependencies.
I see a few things that can improve this situation by quite a lot:
1) Languages should provide an extensive and expressive standard library of some sort, either one bundled with the language, or a tightly vetted and controlled set of first-party dependencies.
2) Package managers should not automatically resolve recursive dependencies, but should force users to manually add all dependencies of any dependency that is added. This additional friction would force you to acknowledge all the risk you are taking on by adding dependencies, and it would force the ecosystem as a whole to reduce the number of dependencies.
1) Package managers are a huge security risk.
2) Recursive dependencies massively increase that risk.
3) You should check all your dependencies into your repo, or at least some kind of manifest with secured signatures of those dependencies, and never automatically update dependencies.
I see a few things that can improve this situation by quite a lot:
1) Languages should provide an extensive and expressive standard library of some sort, either one bundled with the language, or a tightly vetted and controlled set of first-party dependencies.
2) Package managers should not automatically resolve recursive dependencies, but should force users to manually add all dependencies of any dependency that is added. This additional friction would force you to acknowledge all the risk you are taking on by adding dependencies, and it would force the ecosystem as a whole to reduce the number of dependencies.