Can the crates.io registry be disabled or made non-default? Companies that want to audit their dependencies could then mirror the crates that have been manually approved, and any confusion attack would need to survive their audit process.
2 Likes