I head the major realisation today that we ve all been bamboozled.All the supply chain attacks currently happening would never even happen if we just checked in our language-respective vendor/node_modules/venv directories into git and just deployed straight from that.Screw the dependency install and upgrade step. Screw the automated build step. Screw the breaking changes because $package_owner doesnt adhere to semver.We ve all been bamboozled into this. Checking in dependencies has always been the way.Remove vendor/ node_modules/ and venv/ from your .gitignore today and skip the install step in your CI and you eliminate 99% of the attack surface instantly. Was it always that easy???? I think it was!You think checking in your composer.lock saves you? Hah. Npm install is smart and checks for updates and silently installs new versions and updates your lockfile. You should have used npm ci instead.Do you vet every update to your composer.lock? That one innocent commit hash that s changed could just pull in 20kb of obfuscated exploit code and you d never know.All of this is compounded by the longstanding hilarious github bug where you can fork a repository and push your commit to it, then pluck the commit hash and append that to the original repository URL. On the Github webinterface you ll see a notice this commit has might not belong to this repo or a fork of it but on the terminal you ll never see that, and that s exactly what the current worms exploit.Checking in your dependencies and eliminating the install step would make all of this trackable and traceable. Imo the performance hit is worth it.