Comment by tylerdavis

The surface area for supply chain attack with Helix is vanishingly small compared to nvim + n extensions. You’re dealing with a single vendor, versus one per extension. Helix also runs a very slow, deliberate release process, so while it’s certainly possible that a supply chain vulnerability could be shipped, the process in place appears to work well to mitigate it.