Comment by cxr

Not sure what any of what you wrote has to do with the subject at hand. Your comments are vague and come across as non-sequiturs at best.

The only thing I've claimed is that keeping dependencies under source control neutralizes the supply chain attacks that the author of the post describes.

They each belong to two totally different genres of comment.

If you have something concrete to say about the relationship between supply chain attacks and dependencies being excluded from source control in lieu of late-fetching them right at/before build time, then go for it.