If crates.io is public infrastructure and it's chronically underfunded, then “audit your own dependencies” is the wrong takeaway. It shifts the cost from the companies that benefit most onto individual teams. A better response is collective funding for crates.io's security work, not making every team repeat the same audit work on its own.

https://purplesyringa.moe/blog/no-one-owes-you-supply-chain-security/