(no title)

So few people actually do their development/testing in truly-sandboxed environments that I don't think that there's actually much of a difference in practice between malicious code running in userspace vs malicious running in kernelspace ( https://xkcd.com/1200/ ). Of course, I'd love if sandboxed dev environments became more usable and widespread.

I would never expect them to do that without vendoring the package. Which mitigates that risk.

They don't use cargo.