Comment by CWuestefeld

Devs download python packages, rust crates, ruby gems, npm packages, all of them run code.

You allow developers to download and run arbitrary packages? Where I came from, that went out years ago. We keep "shrinkwrap" servers providing blessed versions of libraries. To test new versions, and to evaluate new packages, there's a highly-locked-down lab environment.