Your auth library's maintainer is an agent who never sleeps

The article discusses how the traditional software supply-chain model breaks when both the publisher and consumer of a dependency are autonomous agents. This is because all existing mitigation strategies rely on a human tempo on at least one end. The fix is to make releases independently checkable, rather than relying on the publisher's word that a release is safe. This is a critical issue that affects the security of the entire inherited software supply-chain model.